hijacked by Coolwwwsearch & EffectiveBandToolbar

[gazoomba]

I hope someone can help.  I've had this error for a few days and have done my best to clear the errors which keep coming back.
I've used my updated versions of Ad-Aware SE personal, Spybot Search and Destroy as well as eTrust Antivirus and they sometimes identify the problem but do not delete or fix it.

My Desktop has a red screen with a link to Smart Security or Slimshield, IE is disabled, my right click button has been disabled and it occasionally disables Outlook Express.

I have loaded Firefox so have access to the net plus I have a second stand alone laptop that is not infected to browse the net and follow instructions etc while the other PC is not working

I have read a few postings and have also loaded and used the following programs:

- CWShredder
- HiJack this
- Registrar light
- Spysubtract
- Cleanup312

I have not been able to successfully use these programs to delete the problems.

Here is my logfile:

Logfile of HijackThis v1.99.0
Scan saved at 11:32:15 PM, on 2/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Cvi.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

I have deleted a lot of the nasty files like the R and F sections and some of the others but the keep re-appearing.

Can you help me?  This has been driving me nuts!
Gazoomba

[guestolo]

Can you update your version of Hijackthis please and post a fresh log
Also, ensure you save Hijackthis too a Permanent folder

Please Read This

Could you also, along with a fresh Hijackthis log

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Code: [Select]

@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txt
Double click Export.bat and copy and paste back the findings

[Chelsea]

Log Removed>>Why did you try the Directions I posted to another user?
Please, Read This

~guestolo~

[gazoomba]

Dear Guestolo,
Thanks for your reply and guidance.  Here is my response to your requests.

1. A fresh Hijackthis Log (using the latest version of HJT)

Logfile of HijackThis v1.99.1
Scan saved at 7:44:43 PM, on 4/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Uab.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKLM\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKLM\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKLM\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKLM\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKLM\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKLM\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKCU\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKCU\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKCU\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKCU\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKCU\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

2. The Findings from the Export.bat enquiry:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINDOWS\\desktop.html"

Hopefully, this will provide the information you need.
Regards,
Gazoomba http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

[guestolo]

Hi again Gazoomba

There is a registry fix circulating that is helping with this problem

Can you first create a new Restore point
Go to START>>All programs>>Accessories>>System Tools>>System Restore
Create a new restore point
Name it and click Create

After you have done that

Download and UNZIP to a folder
Fixdesktop.zip
So you now have fixdesktop.reg in the same folder
Fixdesktop.zip
We'll need this later

==Also ===Download and UNZIP to a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe

All the next ones I ask you too remove with Hijackthis, can you also find the files in there respective folders and delete them if found

O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe <-delete this file
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKLM\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKLM\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKLM\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKLM\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKLM\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKLM\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe

O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe

O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKCU\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKCU\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKCU\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKCU\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKCU\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

EDIT>>Also look for these files and delete if found
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\Web\desktop.html <-file

Run Windows CleanUp!
After it's finish cleaning files
Don't restart or log off yet

Instead
Double click on Fixdesktop.reg and allow to merge to the registry

===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
 and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

Restart back to Normal Mode

If you can, access your Display properties options in your Control panel
Go to Desktop tab>>Customize Desktop >>> Web tab>> and ensure to uncheck everything
Log off and back on again from Windows if you needed to uncheck anything

Post back a fresh Hijackthis log and the log from HSFix.bat>>C:\hslog.txt

[gazoomba]

Dear Guestolo,
You are a miracle worker.  I have control of my desktop, right click button, Web Browser (IE) and access again to my computer.  What a relief!

 Logfile of HijackThis v1.99.1
Scan saved at 8:07:52 PM, on 5/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

Here is the other log:

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-

What are your thoughts.  Things seem to be OK now?
Regards,
Gazoomba

[guestolo]

Gazoomba, the registry fix I asked you to try
Was it called fixdesktop.reg??
Are all your shortcut icons on the desktop back to normal?

I'm just checking something out

Could you one more time
With windows set to show hidden files and folders

Reboot back to safe mode

Run HSFix.bat again >> It still has some cleaning to do

Return to Normal mode and post a fresh Hijackthis log and the log from Hsfix.bat

Also let me know about fixdesktop.reg, thanks

[gazoomba]

Dear Guestolo,
Here are your answers:

The Registry Fix you asked me to try was Fixdesktop Registry Editor.  You sent it as a zip file named fixdesktop.zip

All the shortcut items on my previous desktop are back to normal.  I had a JPEG saved as the desktop and this was not there but I have just used a generic Microsoft desktop until the system is clear again.

HSFix Log is below:
 
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:08 PM, on 6/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

Also, I seem to have an error loading IE and even Mozilla Firefox after running Hijack this?  I lose connection to the Internet.  The first time I ran Hijackthis after the main deletion of the 04 Autoloading programs etc, I had troubles seeing my C drive and my virus protection said something about a Haxdoor Virus.  That was the last time I saw that error.  Not sure if this has anything to do with your analysis.  After running Spybot search and Destroy I get no errors after the scan but IE works fine again after a reboot?

Cheers,
Gazoomba

[guestolo]

Everything looks fine now

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

I'm curious about this entry in your log
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe

You look like your in dire need of Windows Updates, your way behind
Were you in the process of installing them but stopped?
Is that what it's related too?
If your version of Windows is legit
I would go and Install all Latest critical updates and Service packs
Don't get the recommended unless you prefer them

Restart your computer when prompted, keep revisiting Windows Updates until you have all Critical updates and Service Packs installed
If you decide to update to Service pack 2, give it time to install, even if it appears to Hesitate at times

[gazoomba]

Dear Guestolo,
Everything is running better now.
I recently updated from Windows 2000 to XP and rebuilt my computer from scratch.  Not sure if the entry you mention has something to do with this.
I was way behind on the Windows Updates and have since updated and included SP2.  I am now current.
I will also follow your other instructions and load the other protection programs.  I am on the home stretch now.
You have been a great help and I am pleased that I have found this website.  It's definitely on my favorites now.
How does it make money?  I would like to support it with a donation for your efforts and assistance.
Regards,
Gazoomba

[guestolo]

Hi again gazoomba
Donations at this time would be incredibly appreciated as our site Admin is make his way to help the CSI Roatan orphanage
All donations at this time will go to help the cause

Please read more below my signature and follow the link if you would like to help out
Thank you