[Sona]

I am running windows ME I am on msn dialup service

I recently had a bad virus infection as well as several nasty trojans
I got the virus by simply VIEWING an infected web site
I have reformated. my computer was disabled I had no choice

I am running AVGfree, Zonealarm, and now trojan hunter trial updated. (will buy this one)
I also run spy bot, ad-aware, cleanup and cw shredder.

I cannot run ewido suite because they do not support windows ME

The only time I have not had Zonealarm running was when
msn told me to turn it off during updating of windows.
Maybe 1/2 hour or so.

It seems that was enough
my computer began acting strangely unable to disconnect,
I downloaded trojan hunter and found netspy running
I believe this is a keylogger trojan.
I think the trojan hunter removed it.
re-scanning showed it gone.

However I am getting an error message that msniasvc is
causing an error in msniawa.dll then msniawa.dll closes
I am unable to disconnect from the internet
I have to reboot my computer to disconnect.

All my scans come up clean

although a-squared online check says
Portscan....
At this test, the Online-Check tries to connect to your computer on several ports to detect possible leaks.
Attention! Desktop firewalls must be deactivated for this test!

Well no way am I opening these so the firewall stays

Starting a² Online-Check for IP 65.***.1.** on 9/22/2005 4:53:50 PM

Portscan:
You computer is scanned for open ports now.

6711: closed
4711: closed
2140: closed
5001: closed
5000: closed
456: closed
12346: closed
6000: closed
6666: closed
8080: closed
445: closed
443: closed
2115: closed
9999: closed
20034: closed
11000: closed
2583: closed
8989: closed
666: closed
6667: closed
421: closed
4000: closed
170: closed
2080: closed
1047: closed
9000: closed
12345: closed
2002: closed
2001: closed
389: closed
143: closed
146: closed
1033: closed
113: closed
1100: closed
1099: closed
4444: closed
139: closed
135: closed
1090: closed
133: closed
3000: closed
1243: closed
1081: closed
1080: closed
123: closed
121: closed
119: closed
118: closed
111: closed
110: closed
54321: closed
54320: closed
99: closed
1050: closed
2005: closed
2004: closed
2003: closed
1524: closed
1045: closed
2000: closed
1042: closed
80: closed
79: closed
1034: closed
555: closed
315: closed
6767: closed
1029: closed
1025: closed
1024: closed
2023: closed
59: closed
58: closed
2208: closed
53: closed
50: closed
48: closed
1000: closed
999: closed
41: closed
1234: closed
37: closed
514: closed
27374: closed
31: closed
40421: closed
31337: closed
25: closed
23: closed
22: closed
21: closed
3129: closed
3128: closed
19: closed
17: closed
13: closed
7000: closed
7: closed
5742: closed
2: closed

Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: I deleted this but it is the correct IP
Your operating system: Windows ME
Your browser: MS Internet Explorer
Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; MSN 9.0;MSN 9.1; MSNbMSNI; MSNmen-us; MSNcIA; MPLUS)
Browser languages: en-us

You did run the Online-Check 1 times before.

Public information about your IP address from the Whois Server:

OrgName: Qwest Communications
OrgID: QWDL
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US

NetRange: 65.***.8.8 - 65.***.***.255
CIDR: 65.***.*.*/11
NetName: NET-QWEST-3BLKS
NetHandle: NET-65-***-*-*-1
Parent: NET-65-*-*.*-0
NetType: Direct Allocation
NameServer: DCA-ANS-01.INET.QWEST.NET
NameServer: SVL-ANS-01.INET.QWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-08-23
Updated: 2002-12-17

TechHandle: QN-ARIN
TechName: NOC
TechPhone: +1-703-363-3001
TechEmail: [email protected]

OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest Abuse
OrgAbusePhone: +1-877-886-6515
OrgAbuseEmail: [email protected]

OrgNOCHandle: QIN-ARIN
OrgNOCName: Qwest IP NOC
OrgNOCPhone: +1-877-886-6515
OrgNOCEmail: [email protected]

OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: +1-877-886-6515
OrgTechEmail: [email protected]


Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.


Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

IEAccess2 not found.
BCVoicePlugin not found.
TSCPlugin not found.
MoneyTreeDialer not found.
D9Dialer not found.
CABDialer not found.
SunInfoConnect.snConnect not found.
eConnect.eConn not found.
VLoading not found.
WebInstall not found.
Uloader not found.
ActiveInstall not found.
ActiveXDownload not found.
NTools.ActiveInstaller not found.
MaConnect not found.
xDiver not found.
WebPlugin_Class not found.
WebUpdate not found.
WSD not found.
IELoader not found.
Acceler8or not found.

No harmful ActiveX components were detected.


Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: VBScript is activated!
VBScript is not dangerous in general. But it is used by worm virus authors to embed harmful code in HTML emails. Ensure to have the latest security updates of your browser installed to stay protected against harmful VBScripts.

Secure ActiveX Test: Invocation of secure ActiveX controls is activated.
ActiveX controls are a kind of enhancement plugins for the browser (as e.g. the Flash plugin). The classification if an ActiveX control is secure or not is done by the developer of the control. So it is also possible that a secure control can contain insecure code. Please notice, that the online Windows-Update doesn't work without ActiveX controls.

Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
Insecure ActiveX controls may contain harmful code and therefore they should be deactivated or set to prompt the user before running to block controls of Dialers, etc.

Internet Explorer makes a difference between signed and unsigned ActiveX controls. Always check controls with invalid signatures before you accept them and let them install on your computer.


a² Online-Check finished on 9/22/2005 4:56:24 PM

here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:19:32 AM, on 9/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
C:\PROGRAM FILES\MSN\MSNIA\MSNIASVC.EXE
C:\PROGRAM FILES\MSN\MSNIA\WA\CLIENTSIDEPROXY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab

Incidently I received a microsoft warning red x that tried to keep me from viewing

this geeks to go site.....I wonder...am I paranoid or are the spies still here

Thanks for any help in advance

Sona

sorry about the super long post....

Edited by Sona, 22 September 2005 - 09:17 AM.