HijackThis Log Please Help

I have run HijackThis as per the instructions. Strangely, when running HijackThus I receive an error message before it finishes creating the log file 'HijackThis has generated errors and will need to be closed by windows. An error log is being created' . Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:21 PM, on 18/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system\msidll.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\WINNT\System32\ctfmon.exe
C:\DOCUME~1\EIS~1.EIS\LOCALS~1\Temp\1D4A.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\EIS~1.EIS\LOCALS~1\Temp\FB5B.tmp
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.creative.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

 

Go here to download the trial version of AVG Anti-spyware.

Go here and download [bold]ATF Cleaner[/bold].

Install and update AVGAS.
[bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter).
Open AVG AS and click "Scanner".
Click "Complete System Scan".
When it finishes scanning, set all items to "Quarantine".
Click "Apply All Actions".
Click "Save Report".
Click "Save report as" and save it to the desktop.

Open ATF Cleaner.
Check "Select All".
Click "Empty Selected".

Restart in normal mode.
Post back with the AVG report and a new HijackThis log.

 

Thanks for helping me. I have done all as instructed. Here is my avg report and HijackThis log. I still received the error message as before when running hijackthis.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:01:49 PM 19/10/2006

+ Scan result:



C:\WINNT\system\msidll.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\WINNT\system32\dvudtmue.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\kuiaullb.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\lbwdhdxq.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINNT\system32\upmxdhfy.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.55:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.9:C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Firefox\Profiles\xnfu6um2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.60:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.18:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.19:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.21:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.22:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.43:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.44:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.45:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.62:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.16:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.17:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.53:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Cookies\eis@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.32:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.33:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.34:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.35:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.71:C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 2:12:40 PM, on 19/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.creative.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe (file missing)
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

 

Go to Start > Run > type service.msc
Find these, right click each one and click "Stop".
If not there, continue with HijackThis remove.
[bold]COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)[/bold]
Close Services.

Open HijackThis.
Click "Open the misc tools section".
Click "Delete an NT service..."
Copy/paste each of these [bold]one at at time[/bold] into the area and then click OK.
[bold]O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINNT\system\msidll.exe (file missing)
O23 - Service: Windows Service Host (SVCHOST) - Unknown owner - C:\WINNT\system\svchost.exe (file missing)[/bold]

Then, run a scan only with HijackThis, check this:

[bold]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80[/bold]

Close all windowns then click "Fix checked".
Close HijackThis.

Turn off System Restore.
Start > Control Panel > System > System Restore tab > select "Turn off System Restore" > click OK

Restart your computer.

Go here and run Kaspersky Online Scanner.
Accept the terms.
After downloading, click "My Computer".
After scanning, click "Save report as".
Save as a text file.

Post back with the Kaspersky log and a new HijackThis log.

Also, please tell if the error still remains with HijackThis.

 

Thanks for your help. I am a bit confused though. When I tried Start>Run>services.msc I received a message that this file could not be found so I opened HijackThis and checked those entries but I don't know how to remove them. Would that be by clicking 'fix checked'? Or do you want me to 'close' them and if so how would I do that please?

 

Checking and clicking "Fix checked" usually will not work with services. You have to use the "Delete an NT service" option.

Look here C:\WINNT\[bold]System32[/bold] for your services.msc file(the icon looks like two gears). If it's there open it and continue with stopping them. If it isn't there, start with opening HijackThis and deleting the services and continue from there.

Before you run Kaspersky run a new scan with HijackThis, if they are still there let me know 'cause we'll have to remove them manually.

 

Thanks for perservering with me. I have followed your instructions. In C:winnt... these services were marked as already stopped. When I tried to stop them using hijackthis I received notification that these services were not found in the registry and that I needed to enter the short name of the sevice. So I haven't been able to complete these tasks.

 

Try these with HijackThis:
[bold]COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)[/bold]

 

I tried those titles in the 'Delete an NT service' area in the 'Misc Tools' section of HijackThis but still received the same message,
eg 'Service 'Windows Service Host (SVC)' was not found in the Registry. Make sure you entered the short name of the service., vbEclamation'.

 

Ah, my fault! I wasn't thinking when I posted the second time.

This is what you use:
[bold]DLLHOST
msidll
SVCHOST[/bold]

Sorry about that.

After that, restart.
Then, run Kaspersky and post back with the log and a new Hijackthis log.

 

No worries and thanks for helping. I have attempted to 'delete an NT service' using those headings but have recieved the message for DLLHOST, 'The Service 'DLLHOST' is enabled and or running. Disable it first, using HijackThis itself (from the scan results) or the services.msc window' and for msidll SVCHOST the message,
'Service ... was not found in the Registry. Make sure you entered the short name of the service., vbEclamation'.

 

Ok, one more time. Hopefully the last.

Start > Run > type services.msc > click OK.
Find each of these and double click them.
Beside "Startup Type" click the drop down menu and select "Disabled".
[bold]COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)[/bold]
Close Services.

For more assurance fix each with HijackThis also.
Then, go to Delete an NT service and try again.
You will be prompted to restart after each one, do so after entering the last one.

If SVCHOST or msidll still prompts it's not in registry just continue with Kaspersky scan.

 

As instructed, I did
'Start > Run > type services.msc > click OK.
Find each of these and double click them.
Beside "Startup Type" click the drop down menu and select "Disabled".
COM+ System Service (DLLHOST)
Microsoft information dll service (msidll)
Windows Service Host (SVCHOST)
Close Services.'
However when trying 'Delete an NT service, Hijackthis still told me that these entries could not be found in the Registry and when I created the log I recieved the message that 'HijackThis has generated errors and will be closed by Windows'.
Here are the Kaspersky online virus scan results and the HijackThis log.

KASPERSKY ONLINE SCANNER REPORT
Sunday, October 22, 2006 2:22:09 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 2 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/10/2006
Kaspersky Anti-Virus database records: 220190
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 28312
Number of viruses found 4
Number of infected objects 9 / 0
Number of suspicious objects 0
Duration of the scan process 03:31:02

Infected Object Name Virus Name Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\pvcoartv.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\system32\bhevgfno.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINNT\Temp\9D14.tmp Infected: Trojan.Win32.Zapchast.cg skipped
C:\WINNT\Temp\FC4D.tmp Infected: Trojan.Win32.Zapchast.cg skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\ModemLog_SoftK56 Data Fax Voice Speakerphone CARP.txt Object is locked skipped
C:\red.exe Infected: Trojan-Dropper.Win32.Small.uy skipped
C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[1].exe Infected: Trojan.Win32.Zapchast.cg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\s2.5[2].exe Infected: Trojan.Win32.Zapchast.cg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/02 Jul 2003 01:57 from David Needham:FW: UNCLASSIFIED:-Oldie but/spider.sav.scr Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\history.dat Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\parent.lock Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\cert8.db Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\Mozilla\Firefox\Profiles\vdy15fob.default\key3.db Object is locked skipped
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\ntuser.dat.LOG Object is locked skipped
Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:56 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

Thanks again for all the help.

 

Did you install VSToolBar since your last post? If you didn't go to Add/Remove Programs and uninstall it.

Go here and download Spybot Search and Destroy.

After installing open Spybot.
Click "Check for Updates".
Click "Search for Updates".
Select all and click "Download Updates".
After updating, close Spybot. Will run the scan in safe mode.

Restart in safe mode.
Loacte and remove these files:
C:\[bold]red.exe[/bold]
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\[bold]s2.5[1].exe[/bold]
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\SFMLMNKV\[bold]s2.5[2].exe[/bold]

Empty the Recylce Bin.

Open Spybot.
Click "Check for Problems".
When it finishes, click "Fix selected problems".
Right click and select "Copy results" (not full report)
Paste the log into Notepad and save it.

Restart in normal mode.
Are you still getting errors with HijackThis?

Post back with the Spybot log and a new HijackThis log.

 

I can't recall installing the VST toolbar. I have done as instructed and am still receiving the error message when I run HijackThis. Something odd that I just noticed in My Computer is a new additional unidentified and unnamed folder.
Here are the logs,

Spybot SD
MediaPlex: Tracking cookie (Internet Explorer: EIS) (Cookie, fixed)


Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Microsoft.WindowsSecurityCenter.SP2Update: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Program Files\VSToolbar\

SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

SeachToolbarCorp.ToolbarVision: Text file (File, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\Toolbar Vision\

SeachToolbarCorp.ToolbarVision: Program directory (Directory, fixed)
C:\Documents and Settings\EIS.EIS-LRJTXCCU1V4\Application Data\SearchToolbarCorp\

SeachToolbarCorp.ToolbarVision: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-436374069-1677128483-839522115-1000\Software\Search Toolbar Corp


--- Spybot - Search && Destroy version: 1.3 ---
2006-10-20 Includes\Cookies.sbi
2006-10-13 Includes\Dialer.sbi
2006-10-13 Includes\Hijackers.sbi
2004-11-29 Includes\LSP.sbi
2006-10-20 Includes\Keyloggers.sbi
2006-10-13 Includes\Malware.sbi
2006-10-20 Includes\Revision.sbi
2006-10-13 Includes\Security.sbi
2006-10-13 Includes\Spybots.sbi
2006-10-20 Includes\PUPS.sbi
2006-10-13 Includes\Trojans.sbi
2006-10-20 Includes\PUPSC.sbi
2005-02-17 Includes\Tracks.uti
2006-10-20 Includes\TrojansC.sbi
2006-10-20 Includes\SpybotsC.sbi
2006-10-20 Includes\SecurityC.sbi
2006-10-20 Includes\MalwareC.sbi
2006-10-20 Includes\KeyloggersC.sbi
2006-10-20 Includes\HijackersC.sbi
2006-10-20 Includes\DialerC.sbi

HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 4:15:37 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ipcop:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

I'm pretty ignorant when it comes to these diagnostic practices, and am probably barking up the wrong tree but in my C: directory I noticed two new .exe files that I don't recall seeing previously. They are named zzkzddz.exe and zzkzdz.exe
BTW has anyone ever ascertained the identities of the people responsible for the winfixpro malware? I'd like to know where they live...

 

Thank you! You mentioned WinFixer and I thought, Vundo. And look, no 02 or 020 entries in your log. Rename HijackThis to any name of your choice. Run a new scan and post the new log.

Yes, those two files mentioned are most likey bad because of the random name. I can't believe Kaspersky didn't pick these things up.

Go to Jotti's malware scan.
Beside the "File to upload and scan" click "Browse" find one of those, upload and scan it. Copy the results and post them with the new HjT log.

By the way, I'm not sure if they are known yet. I'll look into it.

 

I should be thanking you! Something else that is odd is that now when I'm trying open any Word .doc I'm being prompted to register my copy of Microsoft Office Suite which I assumed was already registered since I have never had this request made of me before. Also, after I ran Spybot and HijackThis and rebooted in normal mode, both browsers 'could not find' any of the websites I tried to look up, Afterdawn.com and Google.com for example and I had to reboot again to restore browser access. I wonder, what do you make of the unnamed folder in My Computer? Will do as instructed and post asap, thanks again.

 

May or may not be caused by the malware. We'll see what happens after we finish cleaning.

Hmm, could have been caused by whatever remains.

Sorry, forgot to say something about that. If you didn't create it, delete it.

 

HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 6:18:59 PM, on 22/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Dodo Speed Accelerator\slipcore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Dodo Speed Accelerator\slipgui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\JHT\JackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\System32\pvcoartv.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Dodo Speed Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Dodo Speed Accelerator\components\NOWImaging.dll
O2 - BHO: (no name) - {AE390722-A6AB-47DB-BFBD-06C986291B2C} - C:\WINNT\AppPatch\bvrul.dll
O2 - BHO: (no name) - {B3D86720-11FA-492E-97E0-7411E80EF26D} - C:\WINNT\System32\ljjjjhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Dodo Speed Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Dodo Speed Accelerator.lnk = C:\Program Files\Dodo Speed Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesau.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCBF06D-6C43-4CE7-B33D-49DF38CB2146}: NameServer = 203.194.56.150 203.194.27.57
O20 - Winlogon Notify: bvrul - C:\WINNT\AppPatch\bvrul.dll
O20 - Winlogon Notify: ljjjjhh - ljjjjhh.dll (file missing)
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

JOtti's result
File: zzkzddz.exe
Status:
OK
MD5 c0f8622d0f0983ddf08b166739e5d077
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

As you say, it might be a new virus by the looks of these results.

 

Well, well, look at all the new files that decided to join us.

Download VundoFix to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a fresh HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After the reboot, look for those randomly named files. Still there?

Post back with the contents of vundofix.txt and a new HijackThis. Still getting error?