MagicControl.Agent help needed please

[Keith perplexed]

I've run Spybot S&D many times and fixed the MagicControl.Agent registry entry. But it keeps coming back.
I've tried Microsoft Windows Defender and ad-aware but still I get popups all over the place. Nothing seems to work - so If you can help I would be much obliged.
Thanks
Here's my log...............

Logfile of HijackThis v1.99.1
Scan saved at 08:43:07, on 16/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.tdlondon.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.tdlondon.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {39EA2F6F-3F50-4F58-9C63-4B3D53B0926E} - http://scripts.downloadv3.com/binari...1049_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

[sUBs]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Let's do this first..




Download and unzip - bfu.zip
Run the program and click the Web button located on the top right corner

Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/EGDACCESS.bfu


Checkmark the following boxes:

• Use settings specified in script for the above option
• Show log after script ends

Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the rest of the fix


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite

• When installing, under "Additional Options",
  • uncheck - Install background guard
• Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O16 - DPF: {39EA2F6F-3F50-4F58-9C63-4B3D53B0926E} - http://scripts.downloadv3.com/binari...1049_EN_XP.cab


* * * * * * USING HIJACKTHIS' DELETE ON REBOOT * * * * * *


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

1. In the popup box that appears, copy/paste in:
   • C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
2. Click the Open button.
3. Click YES when prompted to restart your computer.

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Have SpyBot Search & Destroy do a full system scan & allow it to fix all that if finds


* * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

• HiJackThis log
• BFU's log
• Online Scan
• Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Keith perplexed]

Here is the new hijack this log...
Logfile of HijackThis v1.99.1
Scan saved at 18:02:01, on 16/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.tdlondon.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.tdlondon.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe


The bfu log is here.......

BFU v1.00.9
Windows 2000 SP4 (WinNT 5.00.2195 SP4)
Script started at 16:31:56, on 16/02/2006

Failed: DllUnregister C:\WINNT\system32\MSWBM32.DLL|1 (file not found)
Failed: FileDelete C:\WINNT\system32\msclock32.dll (operation failed)
Failed: FileDelete C:\WINNT\system32\msplock32.dll (operation failed)
Failed: FolderDelete C:\Program Files\dialpass (folder not found)
Failed: FolderDelete C:\Program Files\eghtmldialer (folder not found)
Failed: FolderDelete C:\Program Files\egroup (folder not found)
Failed: FolderDelete C:\Program Files\Instant Access (folder not found)
Failed: FileDelete C:\DOCUME~1\keith\LOCALS~1\Temp\~DF52C2.tmp (operation failed)
Failed: FileDelete C:\WINNT\Temp\ZLT03b87.TMP (operation failed)
Script completed.

online scan...........

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 8:15:15 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 177078
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 31691
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:48:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\keith\Local Settings\Temp\ICD1.tmp\UWAS6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Documents and Settings\keith\Local Settings\Temporary Internet Files\Content.IE5\DU7UFVCY\WinAntiSpyware2006FreeInstall[1].cab/UWAS6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Documents and Settings\keith\Local Settings\Temporary Internet Files\Content.IE5\DU7UFVCY\WinAntiSpyware2006FreeInstall[1].cab CAB: infected - 1 skipped
C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped

Scan process completed.


Ewido is here.............

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:41:15, 16/02/2006
+ Report-Checksum: EBA8878E

+ Scan result:

C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Cleaned with backup
C:\Program Files\WebEx\ieatgpc.dll -> Adware.WebEx : Cleaned with backup
C:\WINNT\Downloaded Program Files\btwebcontrol.dll -> Dialer.BT.f : Cleaned with backup
C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINNT\SYSTEM32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINNT\SYSTEM32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINNT\p2esocks_1049.dll -> Trojan.P2E.cl : Cleaned with backup


::Report End


I hope you can help me with this lot - the popups are maddening!
Many thanks for your time.
Keith

[sUBs]

Download and run Blacklight

After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

[Keith perplexed]

Blacklight log attached - thankyou!

02/16/06 21:08:28 [Info]: BlackLight Engine 1.0.30 initialized
02/16/06 21:08:28 [Info]: OS: 5.0 build 2195 (Service Pack 4)
02/16/06 21:08:28 [Note]: 7019 4
02/16/06 21:08:28 [Note]: 7005 0
02/16/06 21:08:32 [Note]: 7006 0
02/16/06 21:08:32 [Note]: 7011 1124
02/16/06 21:08:33 [Note]: 7018 1424
02/16/06 21:08:33 [Info]: Hidden process: C:\winnt\system32\rncbae.exe
02/16/06 21:08:33 [Note]: FSRAW library version 1.7.1014
02/16/06 21:08:40 [Info]: Hidden file: C:\WINNT\SYSTEM32\MSCLOC~1.DLL
02/16/06 21:08:41 [Info]: Hidden file: C:\winnt\system32\rncbae.exe
02/16/06 21:08:42 [Info]: Hidden file: C:\WINNT\SYSTEM32\RNCBAE.DAT
02/16/06 21:08:43 [Info]: Hidden file: C:\WINNT\SYSTEM32\RNCBAE~1.DAT
02/16/06 21:08:44 [Info]: Hidden file: C:\WINNT\SYSTEM32\RNCBAE~4.DAT
02/16/06 21:08:48 [Note]: 7007 0

[sUBs]

Do another Blacklight scan.
For hidden entries found, choose for Blacklight to rename all of them

The tool will ask if you want to reboot (restart) choose yes.
After you have rebooted post back with a fresh hijackthis log

[Keith perplexed]

Logfile of HijackThis v1.99.1
Scan saved at 21:23:29, on 16/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0809/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.tdlondon.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [rncbae] c:\winnt\system32\rncbae.exe rncbae
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.tdlondon.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

[sUBs]

Download & launch KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Select the following option - delete on Reboot
Use your mouse to select all the filenames listed below & then right-click & select Copy

• C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.



After rebooting, have Hijackthis fix these:

O4 - HKLM\..\Run: [rncbae] c:\winnt\system32\rncbae.exe rncbae
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "C:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag


Then locate these files:

C:\winnt\system32\rncbae.exe.ren
C:\WINNT\SYSTEM32\RNCBAE.DAT.ren
C:\WINNT\SYSTEM32\RNCBAE~1.DAT.ren
C:\WINNT\SYSTEM32\RNCBAE~4.DAT.ren

Zipped/archieved them up & place the file as an attachment in your next post. I would also require a fresh HJT log. Let me know if the pop-ups have abated.

[Keith perplexed]

New HJT log......... Pop ups have stopped - zip of files attached (I hope!)


many thanks
Keith


Logfile of HijackThis v1.99.1
Scan saved at 21:48:42, on 16/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0809/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.tdlondon.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.tdlondon.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.TDSECURITIES.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.tdsecurities.com,cibg.tdbank.ca,tdbank.ca
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

[sUBs]

Please delete these files...

C:\winnt\system32\rncbae.exe.ren
C:\WINNT\SYSTEM32\RNCBAE.DAT.ren
C:\WINNT\SYSTEM32\RNCBAE~1.DAT.ren
C:\WINNT\SYSTEM32\RNCBAE~4.DAT.ren


Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please come back in 1-2 days to respond to this thread one more time so we can mark this thread as resolved.

[Keith perplexed]

All still working perfectly after a couple of days! - many thanks for your help.