System seems clean but it's still acting up, So PLEASE HELP. :)

SO I've scanned the system with TDS-3 and KAV with Xbases (all in safemode). THe system had a bunch of trojans etc. Then I've scanned it with Spysweeper and it removed quite a few spyware. BUT if I try to run the TDS3 scan in normal windows the TDS-3 gives me an error and shutsdown after about 2 min. Subseqent scans in Safemode reveal nothing. Also AOL dies once in a while...also gives an incorect state or something like that and quits. The windows search assistant is borked after I've removed a few spyware from this system...so how to get the search assistant back on? Finally could you please check the hijackthis log in order to make sure that there is nothing new.

StartupList report, 5/13/2004, 9:53:32 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\America Online 9.0c\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
DadApp = C:\Program Files\Dell\AccessDirect\dadapp.exe
Apoint = C:\Program Files\Apoint\Apoint.exe
type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
WinTools = C:\Program Files\Common files\WinTools\WToolsA.exe
Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
nwiz = nwiz.exe /installquiet

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cnxtdiag: System32\DRIVERS\cnxtdiag.sys (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
eTrust Antivirus RPC Server: "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" (autostart)
eTrust Antivirus Realtime Server: "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" (autostart)
eTrust Antivirus Job Server: "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" (autostart)
INO_FLTR: \??\C:\WINDOWS\System32\Drivers\ino_fltr.sys (autostart)
K56: System32\DRIVERS\k56nt.sys (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V124: System32\DRIVERS\v124nt.sys (autostart)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WinPPPoverEthernet: C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 11,789 bytes
Report generated in 0.180 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

tempnexus,

You have posted a Startup List, and we need a HijackThis log. You are also running Hijackthis from IE's Temporary Internet Files folders. Please create a new, permanent folder for HijackThis on your C drive and move the HijackThis.exe file into the new folder.

Then open Hijackthis.exe and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste it's contents here in your next post.

Regards,

snap

 

Darn it.

Oh well it wasn't my system. I"ve clean it up as much as I could and I let it go, telling the customer that I am not 100% certain about it being completelly clean. He pressured me to give it back since he said he only had 3 hours. I told him that I charge per clean and not per hour. BUt he insisted telling me that he has to give a presentation. OH well. IF I ever get the system back I will post a correct log.

Sorry.

I've installed CA 7 Promotion with IncoulateIT and VAT both on reviewer mode and VAT being a onDemand and InoculateIT as REAlTime (vat scheduled scan twice a week). Hopefully this will help him since his NOrton WAs hosed by the trojans and even then he only had a 90 day trial from DELL.