[legal_video]

Thanks in advance for the help. What can I say, I've run the gamet - ewido / adaware / spybot / cwshredder / HJT / trojanhunter / kaspersky / kill2me. Seems like the malware is against the ropes -- two fishy items are popping up when I run HJT (in bold below). I'm hesitant to reattach the ethernet cable as I know it will just regrow into the thick urban density it'd achieved before. Ahem. Any advice on wrapping this up?

--------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:12:33 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Documents and Settings\ENCODING 3\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on LANE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "Auto EPSON Stylus Photo R200 Series on LANE" /O17 "\\LANE\EPSON R200" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\g6jolg1316.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

--------------------------------

As I hinted above, these buggers won't stay deleted after I "fix" them with HJT. Most recently I went into the Restore Console and tried deleting the random.dll from the DOS prompt and succeeded, though a new one pops up with each reboot. The spyware/trojan removers mentioned above all come up with clean searches, with the exception of CWShredder (v2.14) always saying it's removed "VX2.Look2Me". You guys & gals are super smart, I'd greatly appreciate any input on the matter.

Edit: Actually ewido is continuing to finding look2me.ab components embedded in the system restore points. I have no clue why this "trusted zone" entry is being so tenacious...

Edited by legal_video, 27 April 2005 - 02:51 PM.