Ok....
Following your directions, I updated Ewido, fixed the noted files in HJT, Rebooted in safe mode and did not see
Cas or
sf. I didn't recognize the follwing programs:
DAO
OIN
Premium Search Start Page
TContextNone of the files you listed for deletion were present with this exception:
1) You said to find & delete C:\Windows\cfgmgr52.
dll. I found C:\...\cfgmgr52.
ini (I didn't delete it)
2) You said to find & delete C:\Windows\System32\
r?ndll.exe. I found C:\...\
rundll.exe (I didn't delete it)
Here are the scans. Ewido first, the HJT:
˙ž- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
e w i d o s e c u r i t y s u i t e - S c a n r e p o r t
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ C r e a t e d o n : 7 : 1 1 : 5 7 P M , 8 / 1 2 / 2 0 0 5
+ R e p o r t - C h e c k s u m : 5 5 F 3 7 5 A 1
+ S c a n r e s u l t :
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 1 0 \ A 0 0 3 6 2 1 2 . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 1 0 \ A 0 0 3 6 2 8 7 . e x e - > T r o j a n D o w n l o a d e r . Q D o w n . z : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 5 \ A 0 0 3 6 8 9 9 . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 1 1 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 2 2 0 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 2 7 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 3 2 0 . d l l - > T r o j a n D o w n l o a d e r . A p r o p o . a h : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 3 5 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 8 \ A 0 0 3 8 3 7 9 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 8 \ A 0 0 3 8 5 6 9 . d l l - > T r o j a n D o w n l o a d e r . A p r o p o . a h : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 5 4 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 6 8 . d l l - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 6 9 . e x e . t c f - > T r o j a n . I m i s e r v . c : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 0 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 1 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 2 . e x e - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 3 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p
C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 4 . D L L - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ d i n s t . e x e - > T r o j a n D o w n l o a d e r . I n t e x p . d : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ f n g c n r n . e x e - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ S Y S T E M 3 2 \ a p i s v c . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ S Y S T E M 3 2 \ C a c h e \ e 1 2 1 3 0 7 . S t u b . e x e - > T r o j a n D o w n l o a d e r . D e l m e d . a : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ S Y S T E M 3 2 \ C a c h e \ I n s t a l l A P S . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p
C : \ W I N D O W S \ S Y S T E M 3 2 \ c x t p l s _ l o a d e r . e x e - > T r o j a n D o w n l o a d e r . A p r o p o . a e : C l e a n e d w i t h b a c k u p
: : R e p o r t E n d
Logfile of HijackThis v1.99.1
Scan saved at 7:16:56 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://195.95.218.172/index.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://195.95.218.172/index.phpR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://195.95.218.172/index.phpR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://195.95.218.172/index.phpO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [BDFRK] C:\WINDOWS\System32\BDFRK.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe