[the_bartender]

The first thing to happen is the virus cisvvc.exe is found by my av. Then drv2cltr.dll is found then i.exe and often times eraseme_51130.exe is found. When i can't deleate the 1st with my av, i go to find the file doesn't exist. I feal it may be conected with a misterious process yimsgr.exe. My HJT log is as follows.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:27 AM, on 6/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.RYANSCOMP2\Desktop\Other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink...ton/search.html
O4 - HKLM\..\Run: [Windows Compliant] cwitfh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

My silent Runners log is as follows

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DefenderProAutoRun" = ""C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"" [null data]
"Ashampoo PopUpBlocker" = "C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe" [null data]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Compliant" = "cwitfh.exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"KAVPersonal50" = "C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize" ["Kaspersky Labs"]
"ConMgr.exe" = ""C:\Program Files\EarthLink 5.0\ConMgr.exe"" ["EarthLink, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\(Default) = "Internet Explorer Access"
\StubPath = "rundll32 iesetup.dll,IEAccessUserInst" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csbce.exe" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner.RYANSCOMP2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

kavsvc, kavsvc, "C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe" ["Kaspersky Labs"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


To say the least, i need !

[Advertisements]

Welcome the_bartender to Geeks to Go!



Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close.

***

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Windows Compliant] cwitfh.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\drv2cltr.dll
C:\WINDOWS\yimsgr.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Reboot to normal mode.

***

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply

[g2i2r4]

Welcome the_bartender to Geeks to Go!



Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close.

***

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Windows Compliant] cwitfh.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\drv2cltr.dll
C:\WINDOWS\yimsgr.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Reboot to normal mode.

***

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply

[the_bartender]

Sorry I took so long. Here are the reports. I should mention that my current antivirus also found and deleated cisvvc.exe, x.exe, and drv2cltr.dll. The current symptoms of this virus are as follows: when i start IE, my antivirus shows cisvvc to be infected (but not every time) i can't delete it then but on a manual scan i do detect and delete it. x.exe often pops up as well and can't be deleted. I have also checked the registry with run regedit and found a cisvvc there. I deleted it without problem though it returned. I have also run HJT, Spybot S&D, Ad Adaware, My Antivirs Defender Pro 2005, About Buster, PV, Kill Box, Silent Runners, TDS-3, and CWShredder. If they saved a log, it's below...

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:52:58 PM, on 6/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.RYANSCOMP2\Desktop\Other\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE



EWIDO:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:44:32 PM, 6/30/2005
+ Report-Checksum: DD482394

+ Date of database: 6/30/2005
+ Version of scan engine: v3.0

+ Duration: 40 min
+ Scanned Files: 52132
+ Speed: 21.24 Files/Second
+ Infected files: 4
+ Removed files: 4
+ Files put in quarantine: 4
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Program Files\EarthLink 5.0\[email protected]\Cookies\mom@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\dfhrl.dll -> Spyware.SBSoft.h -> Cleaned with backup
C:\WINDOWS\system32\ntfsnlpa.exe -> Spyware.Msnagent -> Cleaned with backup
C:\WINDOWS\system32\rdsndin.exe -> Spyware.FindSpy -> Cleaned with backup


::Report End


DEFENDER PRO 2 Reports:
Statistics:
Task start time: 6/30/2005 6:11:27 PM
Task completion time: 6/30/2005 6:20:55 PM
Objects scanned: 2185
Viruses detected: 8
Viruses disinfected: 0
Objects deleted: 1
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer, network folders and drives
If an infected object is found:
Upon virus detection, block access and prompt user for action
Scan level:
Maximum Protection
Objects to be excluded from the protection area:
Option not used

Report:
C:\WINDOWS\System32\cisvvc.exe;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:01 PM
C:\WINDOWS\System32\cisvvc.exe;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:01 PM
C:\WINDOWS\System32\cisvvc.exe;deleted;6/30/2005 6:14:04 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:09 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:14 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;cannot be deleted, object locked;6/30/2005 6:14:17 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:19 PM
C:\WINDOWS\System32\cisvvc.exe;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:19 PM
C:\WINDOWS\System32\X.exe;is a Trojan Trojan.Win32.Dialer.gx;6/30/2005 6:14:21 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 6:14:24 PM
C:\WINDOWS\SYSTEM32\CISVVC.EXE;cannot be deleted, object locked;6/30/2005 6:14:27 PM


AND

Statistics:
Task start time: 6/30/2005 7:00:00 PM
Task completion time: 6/30/2005 7:02:02 PM
Objects scanned: 4143
Viruses detected: 1
Viruses disinfected: 0
Objects deleted: 2
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Delete infected objects
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
C:\WINDOWS\System32\cisvvc.exe;is infected with a virus Trojan-Clicker.Win32.Agent.db;6/30/2005 7:00:17 PM
cisvvc.exe\cisvvc.exe;deleted;6/30/2005 7:00:17 PM
C:\WINDOWS\System32\cisvvc.exe;deleted;6/30/2005 7:00:17 PM

SILENT RUNNERS:

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DefenderProAutoRun" = ""C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"" [null data]
"Ashampoo PopUpBlocker" = "C:\PROGRA~1\DEFEND~2\DEFEND~1\PopUpKiller.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"KAVPersonal50" = "C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize" ["Kaspersky Labs"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\(Default) = "Internet Explorer Access"
\StubPath = "rundll32 iesetup.dll,IEAccessUserInst" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmfj.exe" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner.RYANSCOMP2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
kavsvc, kavsvc, "C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe" ["Kaspersky Labs"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


WILL CONTINUE WITH AMEND SHORTLY...

[g2i2r4]

Please disable Defender Pro Anti Spam. It may be protection you from the changes.

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O17 - HKLM\System\CCS\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37

O17 - HKLM\System\CS2\Services\Tcpip\..\{342AD1E6-FC42-49EE-9595-F997C68C87B5}: NameServer = 69.50.184.84 195.225.176.37

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Let get rid of what we see is/was there.
Some scans say they deleted it, some say it's there.
Let's play save; kill them all. If they are no longer on your computer, you will receive a message. Proceed with the next one then.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\csmfj.exe

C:\WINDOWS\System32\cisvvc.exe

C:\WINDOWS\System32\X.exe


For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Scan your computer using AVG again, let me know what it says.

Also post me a fresh log using HijackThis and a log from Silent Runners.




EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 18 July 2005 - 02:42 PM.