I have picked up some virus or spyware which spyware, adaware and cw shredder can do nothing about. Norton Antivirus no longer detects any viruses on my system. I believe the virus is either open32.exe and/or mszx23.exe. I need help with removal. Note there are specific questions at the end of this posting.

Currently I am running norton internet security and the firewall is on blocking everything unless I give it permission. This alerted me to the open32.exe file which I thought I deleted from my machine but according to the hijack-this-log is still there. I am running the beta version of microsoft antispyware and it is blocking mszx32.exe from installing a start up value:

secboot:C:\Windows\system32\mszx.32.exe to my start up registry at this location:

HKEY_Local_Machine\software\microsoft\windows\CurrentVersion\Run

I found some instructions for removing this at castlecops.com and http://forums.maddoktor2.com

They both give differnt methods but the one at http://forums.maddoktor2.com appears to be more complete I have posted the removal instructions below.

Instructions :

1 remove the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16

2 rebot the pc from the windows xp install cd into "repair mode". Rebooting into failsafe mode will still keep files open and you will be unable to move files into quarantine.

3 With DOS like command interpreter change directory to windows system folder
(CD C:\WINDOWS\SYSTEM32)

4 create a directory called quarantine (MD quarantine)

5 Copy files mszx.exe, drct16.dll, p2.ini, klo5.sys, vdnt32.sys, klogini.dll, i.a3d, fltr.a3d, redir.a3d to the quarantine directory (Copy <filename> quarantine)

6 Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)

7 eject the windows cd-rom type exite and pres enter to boot from hard disk.l

system should now be clean.

Hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 10:56:18 PM, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\NORTON~1\Cfgwiz.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\NORTON~1\Navapw32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack-this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: outlook express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} (WIN Tools) - http://www.searchfore.com/ThanksGiving_Greeting/tgtb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tosinc.com



Questions:
1 What is Windows "repair mode" how is it different from "Safe mode"?
2 What commands will I need to complete the directions or are they listed correctly within parenthesis?
3 What do I need to do to rid my machine of open32.exe?

Hi willersd

Welcome to geekstogo

Please set your system to show all files; see here for how to do this if you're unsure.

Copy and paste this document and save it to your desktop. Or if you have a printer you can print these instructions.

<color=red>Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.</color>

O2 - BHO: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O3 - Toolbar: WIN Tools - {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - C:\WINDOWS\DOWNLO~1\tgtb.dll
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\DOWNLO~1\tgtb.dll<--Delete this file
open32.exe<<--Delete this file.

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc

I did what you asked and also performed the following from techsupportforum.com search under fixhx.reg and click on Alliana then scroll all the way to the end. Note this thread also has a down load of the fixhx.reg file in it.

procedures from techsupportforum.com:
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Now..disconnect this PC from the internet (unplug the modem..ect) as it MUST have no internet access.

Run the cleanup utility and reboot/logoff when prompted. On the reboot...boot directly to safe mode. Once in safe mode Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

**Note** You may not have all these files..but try each one to make sure!

C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\w32tm.exe
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\webx1.exe
C:\WINDOWS\System32\sharamon.dll

On the reboot choose SAFE mode

Double click on the fixhx.reg we made earlier and merge it to the registry. Choose YES when it asks to merge.

Run Killbox again and clear the temp files
- choose Tools > Delete Temp Files and click OK.

Open Windows Explorer and navigate to the C:\Windows\System32 folder
You will likely want the details view and to sort the files by DATE (Arrange icons --> modified)

Have a look for the following files (which should all be about the same date)
Some of them may not be present and there may be some which I haven't listed.

C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\w32tm.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0˘+opes.
C:\WINDOWS\system32\slowIsys.
C:\WINDOWS\system32\zININEwz.
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.

If you find these files delete them. Use KILLBOX again if need be in the same method as before.

There is several registry entrys you will have to check. You should manually check your registry for such items as using the link at symantec as a guide...
http://securityresponse.symantec.co....haxdoor.d.html

Once your finished reconnect your PC to the internet and reboot. Once rebooted run the fixhx.reg again and then run cleanup utility. Don't forget to update your antivirus. Post another hijackthis log when finished and let me know the outcome.


After doing what you asked and the above the following is my hijack this file (note if you want to see my HJT file after only doing what you asked I have that and can post it later):

ogfile of HijackThis v1.98.2
Scan saved at 12:01:08 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\NORTON~1\Cfgwiz.exe
C:\PROGRA~1\NORTON~1\Navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\hijack-this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: outlook express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - http://www.searchfore.com/ThanksGiving_Greeting/tgtb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tosinc.com

At this point when I restarted the computer microsoft antispyware did not tell me that mszx.exe was trying to install crap into my start up directory. am I cured yet?

thanks

Dave

Hi willersd

Please run the following free, online virus scans: Please post the logs From both virus scans we will need them to remove previous infections that have left files on your system.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/co...n_principal.htm

Kc

ok I will run the scans. Just curious. I run Norton antivirus. Why isn't it catching this stuff? Also do you recommend any commercial antispyware? I was thinking of buying Aluria's spyware eliminator based on the reviews. I currently have adaware SE with the fix and spybot search and destroy and the beta version of microsofts antispyware. Or maybe I should get an additional virus checker?

Thanks

Dave

here is the scan from trend micro housecall:

Virus Scan 2 viruses detected


Results:
We have detected 2 infected file(s) with 2 virus(es) on your computer.
Detected File Associated Virus Name
C:\RECYCLER\S-1-5-21-1606980848-1004336348-725345543-1003\Dc451.exe TROJ_SMALL.YF
C:\WINDOWS\system32\tmpf01.exe TROJ_SMALL.ZF




Trojan/Worm Check No worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name Trojan/Worm Type




Spyware Check 2 spyware programs detected

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer.
Spyware Name Spyware Type
COOKIE_2842 Cookie
DIAL_RAS.AS Dialer




Microsoft Vulnerability Check 1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 1 vulnerability/vulnerabilities on your computer.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004



I will run the other scan when I come home from work. later

Dave

Hi willersd

You are using a old version off HijackThis.

Please update HijackThis v 1.99.1

Post a new HJT.Log

Kc

here is the scan from Panda Active Scan. I have downloaded the revised HJT program.

Incident Status Location

Adware:Adware/CWS.Searchmeup No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\057D2262-93F8-44CA-9952-8DF4AD\B58E1CC4-2C69-4C11-B21B-BFEF70
Virus:Trj/Downloader.LP Disinfected C:\WINDOWS\system32\tmpf01.exe Note the


Note when I ran the scan from trend micro house call it offered me the option of cleaning the files or deleting them. I chose to clean them and the program could not clean them. It then finished but was unsucessful when cleaning the files. I tried to run the trend micro house call again and twice it locked up the computer when it got to a file called pagefile.sys. It is located in c:\ . Note there are also files pagefile.vbs located in c:\windows\system32\dllcache and pagefileconfig.vbs located in c:\windows\system32. Well here is every thing you asked for what do you make of it all?

Thanks

Hi willersd

This has been disabled and can be found in the Quarantine box
C:\Program Files\Microsoft AntiSpyware\Quarantine\057D2262-93F8-44CA-9952-8DF4AD\B58E1CC4-2C69-4C11-B21B-BFEF70
Spyware Scan: Spyware Quarantine
Spyware threats in Spyware Quarantine do not run on your computer but you can restore these items to their original state at any time.
How to Restore a Quarantined Item
If you have accidentally quarantined a program as spyware you can remove it from quarantine and restore it to its original state. To restore a program:
1. A list of all items in your quarantine is displayed. Select the item you would like to un-quarantine and when the items appear in the right details pane, click Un-quarantine Threat. This action restores the item to its original state before it was quarantined.
2. To un-quarantine multiple items in the quarantine, select each item and click Un-quarantine all checked Threats at the bottom of the screen.
3. After you un-quarantine an item, restart your computer to make sure the restored application runs.

How to Remove a Quarantined Item
You can permanently remove any items in quarantine. To permanently remove an item from quarantine:
1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.
2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.



Pagefile how to disable:

Click-> Start-> Right click My Computer-> Scroll down the list selcet Properties-> Advanced-> Performance - Setting -> Advanced-> Vertual Memory- > Change-> now set to no page file.

Now you need to run the online virus scan again. And post a new HJT.Log

Kc

is there any reason I should unquaranteen an item if all my applications appear to run fine?

If I do not unquaranteen any items then I run the trend micro house call virus scan again after I disable the page file but it is my understanding that I do not need to re-run the pandasoftware virus scan again before creating a HJT.log is this correct?

Hi willersd

Delete the Quarantined Items

How to Remove a Quarantined Item
You can permanently remove any items in quarantine. To permanently remove an item from quarantine:
1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.

2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.

Kc

Here is the latest virus scan from Panda


Incident Status Location

Virus:Bck/Haxdoor.A Disinfected Operating system
Adware:Adware/MediaTickets No disinfected Windows Registry
Virus:Trj/Tofger.AT Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4BC440CA-E6C8-4827-9CEE-F11399\2BAD60ED-916C-4085-BC4E-E042DF
Virus:Trj/Tofger.AT Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\57DEEEEC-BD9A-4878-9BEA-E12598\4C65AF64-E852-4109-B827-190FD8
Here is the lates virus scan from microhousecall:

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer: 0 virus(es) cleaned, 0 virus(es) uncleanable, 0 virus(es) deleted, 0 virus(es) undeletable, 0 virus(es) passed.
Detected File Associated Virus Name Action taken




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer: 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable, 0 worm(s)/Trojan(s) passed.
Trojan/Worm Name Trojan/Worm Type Action taken




Spyware Check 1 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 1 spyware(s) on your computer: 1 spyware(s) removed, 0 spyware(s) unremovable, 0 spyware(s) passed.
Spyware Name Spyware Type Action taken
COOKIE_2842 Cookie Removal successful




Microsoft Vulnerability Check 1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 1 vulnerability/vulnerabilities on your computer.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004


Note regarding the microhousecall scan:

I have installed the MS05-004 update to fix the ASP.net fix I am not sure why this showed up again. Maybe I did not reboot prior to running this scan.

Here is the latest HJT.log

Logfile of HijackThis v1.99.1
Scan saved at 10:29:49 PM, on 3/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\NORTON~1\Cfgwiz.exe
C:\PROGRA~1\NORTON~1\Navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dave Willers\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - Startup: outlook express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D0EA-F878F4D5FA7D} - http://www.searchfore.com/ThanksGiving_Greeting/tgtb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tosinc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tosinc.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe





Note: The scans are finding different viruses than before. Is there a virus which keeps installing new and different viruses? If so should we just stop trying to fix this and format the c: drive?

Also how do I get rid of the adaware/mediaTickets virus?

Dave

Hi willersd

I would look at installing XP_2

Download the ccleaner
I use this Program and is setup like this all boxs are check.

Clean out off temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore


Congratulations! Your system is CLEAN

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats.

Kc

This topic has been resolved and is now closed. If you have anymore problems and need it to be reopened, please contact a staff member.