1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Virus: ModName 2326_27.dll in Explorer & recent SmitFraud.c and WinAntiVirus

Discussion in 'Virus & Other Malware Removal' started by bartechie, Jul 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    Hello!

    I need your help. I tried for the last three days, but I gotta refer to you malware experts now. I recently had SmitFraud.c and WinAntiVirus real bad.

    I used a battery of SmitRem, Prevx (since removed), Adaware, Spybot, and Computer Associates eTrust Internet Security Suite (R1) to clean up. I recently updated to WinXP SP2 and ran ALL my Windows Updates.

    I did encounter a process called sspool.exe that was cranked at 99% CPU. There was a key in my HKLM/sw/ms/win/curr/run from wscfg32 that launched sspool32.exe. I googled it and couldn't find anything on sspool32.exe. Since my system was taxed and I couldn't find a good reason for this process, I killed the process and deleted the reg key that launched it.

    After deleting the reg entry for sspool32.exe and running all microsoft updates, the system behaves much better now. However, I still get a sporadic error from Explorer.exe stating it experienced an error and needs to close. Sorry for the inconvenience. Here are the error details:

    AppName: explorer.exe AppVer: 6.0.2900.2180 ModName: 2236_27.dll ModVer: 0.0.0.0 Offset: 0000620c

    After closing, desktop has to reload. I only get back about 1/3 of my icons in the System Tray after the reload.

    I googled this 2236_27.dll and Prevx website claims it's a nasty. I've also seen in a thread on your website where you recommended someone to remove it.

    Anyway, I'm sure you will know. I'm deferring to your best judgment.

    Here's my recent HJT log. Please let me know what you see and how to proceed.

    Thanks!!

    Bartechie

    ---

    Logfile of HijackThis v1.99.1
    Scan saved at 4:08:17 PM, on 7/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O1 - Hosts: 129.41.63.215 mail-02vs
    O1 - Hosts: 129.41.63.216 mail-03vs
    O1 - Hosts: 129.41.63.192 mail-04vs
    O1 - Hosts: 129.41.63.193 mail-05vs
    O1 - Hosts: 172.19.5.2 divexchserver
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {64a8c722-742c-48a6-b187-b99b9481245b} - C:\WINDOWS\system32\dxdf18.dll (file missing)
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\RunServices: [ÿ_zskBL[^VFKD[MI`] C:\WINDOWS\System32\_zskwrkni05K[G\`IM[DKFV^[LB.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_R329_3d/HND/h6300|ProdPage|viewpoint
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
    O20 - Winlogon Notify: dxdf18 - dxdf18.dll (file missing)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.
    · Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    ===========================
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  3. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    SC,

    Thanks for the reply.

    As I was checking your reply, the windows explorer error posted again on screen. Again, the ModName in error details was 2236_27.dll. I left the error open.

    I ran VundoFix and chose Scan. After running for about 20 minutes or so, VundoFix posted a message stating Done Searching for files. No infected files were found.

    Selecting Remove Vundo yielded a message No files were found, VundoFex V5.1.4 will now close, and it did after selecting OK.

    I closed the explorer.exe error window and ran VundoFix again. In the midst, the Explorer.exe error threw again, not surprisingly with ModName 2236_27.dll. I chose Don't Send and desktop reloaded.

    VundoFix ran throughout the explorer.exe reload for its second pass and I suppose to no surprise it claimed again that No files were found. Nothing to remove.

    Perhaps not coincidentally but certainly incontinently, Windows Explorer.exe puked on me again when it finished.

    Because I think you wanted to see a clean HJT log after reboot, I restarted and took HJT log #1 at that point.

    As you instructed, I proceeded to get the trial version of Spysweeper.
    I have to say, I ran into some difficulty with this application when trying to Check for Updates and my system hung, twice.

    I Went through reboots, removal and reinstall before I felt better about it. I stayed away from the Check for Updates option on the main screen and used the Definition Update button on the Scan page instead.

    Also, I wasn't too pleased about pop-ups after reboots asking me to survey and buy it.

    I persevered and managed to install, update definitions, set prescribed options (thank you), and proceeded to scan.

    SpySweeper found some baddies, after all. I made sure all were selected and quarantined the bunch. A couple of them required reboot to be removed. I held off on the reboot so I could save the session log.

    I noted in the log that it saw the 2236_27.dll and it stated it would be removed on reboot!

    I then attempted a restart. System was hanging badly - I checked task manager and csrss.exe pegged the CPU at 99%. I tried to use Windows Explorer a little bit, and the system is damn near unresponsive. This is new behavior, csrss.exe is going nuts.

    Is my user profile corrupt? I hope not. I saw this KB article:
    http://support.microsoft.com/?kbid=555021&sd=RMVP

    Attached below is the Session Log from Spysweeper, followed by HJT Log #2.

    Note: I truncated the Spysweeper log because it posted the same "Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C" message about 10,000 times between 11:22 PM and 12:04 AM. I provided the actual log in a .zip file as an attachment to this reply.

    Please let me know where to go from here.

    Thanks again!

    Bartechie


    --HJT Log #1 Begin--

    Logfile of HijackThis v1.99.1
    Scan saved at 5:58:49 PM, on 7/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O1 - Hosts: 129.41.63.215 mail-02vs
    O1 - Hosts: 129.41.63.216 mail-03vs
    O1 - Hosts: 129.41.63.192 mail-04vs
    O1 - Hosts: 129.41.63.193 mail-05vs
    O1 - Hosts: 172.19.5.2 divexchserver
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {64a8c722-742c-48a6-b187-b99b9481245b} - C:\WINDOWS\system32\dxdf18.dll (file missing)
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\RunServices: [ÿ_zskBL[^VFKD[MI`] C:\WINDOWS\System32\_zskwrkni05K[G\`IM[DKFV^[LB.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_R329_3d/HND/h6300|ProdPage|viewpoint
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
    O20 - Winlogon Notify: dxdf18 - dxdf18.dll (file missing)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe


    --HJT Log #1 End--


    --Session Log Begin--

    12:28 AM: Removal process completed. Elapsed time 00:03:17
    12:28 AM: A reboot was required but declined.
    12:27 AM: Quarantining All Traces: go.com cookie
    12:27 AM: Quarantining All Traces: webhancer
    12:27 AM: Quarantining All Traces: apropos
    12:27 AM: Quarantining All Traces: trojan-downloader-conhook
    12:27 AM: C:\WINDOWS\system32\2236_27.dll is in use. It will be removed on reboot.
    12:27 AM: trojan-backdoor-msdcom32 is in use. It will be removed on reboot.
    12:27 AM: Quarantining All Traces: trojan-backdoor-msdcom32
    12:27 AM: Quarantining All Traces: trojan-backdoor-cyn
    12:25 AM: Removal process initiated
    12:22 AM: Traces Found: 15
    12:22 AM: Full Sweep has completed. Elapsed time 04:31:52
    12:22 AM: File Sweep Complete, Elapsed Time: 04:12:27
    12:04 AM: Warning: Access violation at address 00401D58 in module 'SpySweeper.exe'. Read of address 7E10000C
    12:04 AM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
    11:22 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
    11:22 PM: Warning: Access violation at address 0058BE6A in module 'SpySweeper.exe'. Read of address 0000038C
    11:21 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    11:21 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    10:55 PM: C:\WINDOWS\ntsautodial.ini (ID = 188794)
    10:55 PM: Found Adware: webhancer
    10:42 PM: Warning: Failed to open file "c:\documents and settings\shoulihan.laptop\cookies\[email protected][3].txt". The operation completed successfully
    10:04 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    10:04 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    9:49 PM: C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\AlertSWF\contents\Exec.exe (ID = 50118)
    9:49 PM: Found Adware: apropos
    9:09 PM: C:\WINDOWS\system32\vtsrpmm.dll (ID = 322812)
    8:47 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    8:47 PM: The Spy Communication shield has blocked access to: KROVALIDAJOP.COM
    8:10 PM: Starting File Sweep
    8:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    8:09 PM: c:\documents and settings\shoulihan.laptop\cookies\[email protected][2].txt (ID = 2728)
    8:09 PM: c:\documents and settings\shoulihan.laptop\cookies\[email protected][1].txt (ID = 2728)
    8:09 PM: Found Spy Cookie: go.com cookie
    8:09 PM: Starting Cookie Sweep
    8:09 PM: Registry Sweep Complete, Elapsed Time:00:02:35
    8:08 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {2c1cd3d7-86ac-4068-93bc-a02304bb2236} (ID = 1533943)
    8:08 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server 2236 (ID = 1531611)
    8:08 PM: HKLM\software\classes\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb2236}\ (ID = 1531609)
    8:08 PM: HKCR\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb2236}\ (ID = 1531605)
    8:08 PM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)
    8:08 PM: HKLM\software\microsoft\dstr5\ (ID = 1511570)
    8:08 PM: Found Trojan Horse: trojan-downloader-conhook
    8:08 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\artm_newreg\ (ID = 1499383)
    8:07 PM: Starting Registry Sweep
    8:06 PM: Memory Sweep Complete, Elapsed Time: 00:15:09
    7:51 PM: Starting Memory Sweep
    7:51 PM: C:\WINDOWS\system32\2236_27.dll (ID = 1532296)
    7:51 PM: HKCR\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb2236}\inprocserver32\ (ID = 1532296)
    7:51 PM: Found Trojan Horse: trojan-backdoor-msdcom32
    7:51 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\artm_newreg\ || dllname (ID = 1532249)
    7:51 PM: Found Trojan Horse: trojan-backdoor-cyn
    7:50 PM: Sweep initiated using definitions version 720
    7:50 PM: Spy Sweeper 5.0.5.1286 started
    7:50 PM: | Start of Session, Monday, July 17, 2006 |
    ********
    7:50 PM: | End of Session, Monday, July 17, 2006 |
    7:49 PM: Your spyware definitions have been updated.
    7:18 PM: Traces Found: 4
    7:18 PM: Full Sweep has completed. Elapsed time 00:36:58
    7:18 PM: File Sweep Complete, Elapsed Time: 00:31:02
    7:16 PM: C:\WINDOWS\ntsautodial.ini (ID = 188794)
    7:16 PM: Found Adware: webhancer
    7:15 PM: Warning: Failed to open file "c:\documents and settings\shoulihan.laptop\cookies\[email protected][3].txt". The operation completed successfully
    7:00 PM: C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\AlertSWF\contents\Exec.exe (ID = 50118)
    7:00 PM: Found Adware: apropos
    6:47 PM: Starting File Sweep
    6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
    6:47 PM: c:\documents and settings\shoulihan.laptop\cookies\[email protected][2].txt (ID = 2728)
    6:47 PM: c:\documents and settings\shoulihan.laptop\cookies\[email protected][1].txt (ID = 2728)
    6:47 PM: Found Spy Cookie: go.com cookie
    6:47 PM: Starting Cookie Sweep
    6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:53
    6:46 PM: Starting Registry Sweep
    6:46 PM: Memory Sweep Complete, Elapsed Time: 00:04:15
    6:41 PM: Starting Memory Sweep
    6:41 PM: Sweep initiated using definitions version 691
    6:41 PM: Spy Sweeper 5.0.5.1286 started
    6:41 PM: | Start of Session, Monday, July 17, 2006 |
    ********
    6:41 PM: | End of Session, Monday, July 17, 2006 |
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    6:37 PM: Shield States
    6:37 PM: Spyware Definitions: 691
    6:36 PM: Spy Sweeper 5.0.5.1286 started
    6:36 PM: Spy Sweeper 5.0.5.1286 started
    6:36 PM: | Start of Session, Monday, July 17, 2006 |
    ********

    --Session Log End--



    --HJT Log #2 Begin--

    Logfile of HijackThis v1.99.1
    Scan saved at 12:48:24 AM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPV5Updater.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O1 - Hosts: 129.41.63.215 mail-02vs
    O1 - Hosts: 129.41.63.216 mail-03vs
    O1 - Hosts: 129.41.63.192 mail-04vs
    O1 - Hosts: 129.41.63.193 mail-05vs
    O1 - Hosts: 172.19.5.2 divexchserver
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {64a8c722-742c-48a6-b187-b99b9481245b} - C:\WINDOWS\system32\dxdf18.dll (file missing)
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\RunServices: [ÿ_zskBL[^VFKD[MI`] C:\WINDOWS\System32\_zskwrkni05K[G\`IM[DKFV^[LB.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_R329_3d/HND/h6300|ProdPage|viewpoint
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
    O20 - Winlogon Notify: dxdf18 - dxdf18.dll (file missing)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

    --HJT Log #2 End--
     

    Attached Files:

  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Add remove programs – remove all occurrences of Viewpoint

    Fix these with HJT – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {64a8c722-742c-48a6-b187-b99b9481245b} - C:\WINDOWS\system32\dxdf18.dll (file missing)

    O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"

    O4 - HKLM\..\RunServices: [ÿ_zskBL[^VFKD[MI`] C:\WINDOWS\System32\_zskwrkni05K[G\`IM[DKFV^[LB.exe

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_R329_3d/HND/h6300|ProdPage|viewpoint

    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll

    O20 - Winlogon Notify: dxdf18 - dxdf18.dll (file missing)

    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll


    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\scrovfpo.dll
    C:\Program Files\Viewpoint

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  5. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    SC,

    Thanks again for the reply. Well, I'll start at the beginning.



    Viewpoint removal: There were two items - Viewpoint Manager (Remove Only) and Viewpoint Media Player. I removed them in that order. Seemed to work.

    csrss.exe is still freakin out at 99% CPU. Pushing on.


    HJT: Did a scan only. Checked all the baddies. "O4 - HKLM\..\Run: [ViewMgr] ..." wasn't there - the removal may have got it. Tried to Fix Checked on 6 items.

    HJT threw an error! "An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=020 - AppInt_DLLs: sysiusrc.dll hhsedpvo.dll)
    Error #5 - Invalid procedure call or argument.

    I selected OK. HJT said it was about to remove a BHO, I said OK, go with God. Then it appeared to do its thing. I scanned again to verify, and it appeared all the selected items were removed.

    csrss.exe is still freakin out at 99% CPU. Pushing on.


    Killbox: Rebooted for Safe Mode and noted in the process that I get a "End Program - Spy Sweeper" window that the app is not responding. Had to End Task. Starting to get a little freaked out by Spy Sweeper again - wondering if it has anything to do with my csrss.exe problem? Incompatibilities with CA eTrust AntiVirus and/or Pest Patrol? Also heard a system error beep during shutdown.

    Brought up Safe Mode, extracted killbox, ran it. Tried to delete the first item "c:\windows\system32\scrovfpo.dll". Killbox reported "This file could not be deleted"!

    Boy, I was tempted to check the other killbox delete options to try to get rid of scrovfpo.dll, but I stuck with the standard kill option that failed, and I'll wait for your further instructions.

    The "C:\Program Files\Viewpoint" was no longer present - may have been deleted by earlier removal.


    Temp File Removal: After closing killbox, my desktop was gone. No icons. Looks like explorer got shutdown when trying to kill scrovfpo.dll and didn't reload. I had to get to Run by using Ctrl-Alt-Del and launching Task Manager.

    Interestingly, when I entered the %TEMP% command, an error message posted and desktop reloaded. Now, %TEMP% threw an error stating the directory could not be located. I noted you actually said %temp%, so I went there, and sure as shinola, my profile's temp directory opened. I deleted all contents. Also went to C:\windows\temp and deleted all contents. Recycle bin was already empty, but I checked to make sure.


    Reboot to Normal Mode: Rebooted to Normal Mode for HJT Log. System booted up OK. Launched HJT and took a log. It's attached below. Please let me know how to proceed.


    Note: I am concerned we need to take further action to get rid of scrovfpo.dll. And though I haven't seen it since I rebooted, I'm just waiting for csrss.exe to go nuts again.


    Thanks again!

    Bartechie


    --HJT Log #3 Start--

    Logfile of HijackThis v1.99.1
    Scan saved at 9:29:37 AM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O1 - Hosts: 129.41.63.215 mail-02vs
    O1 - Hosts: 129.41.63.216 mail-03vs
    O1 - Hosts: 129.41.63.192 mail-04vs
    O1 - Hosts: 129.41.63.193 mail-05vs
    O1 - Hosts: 172.19.5.2 divexchserver
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

    --HJT Log #3 End--
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
    · Close all windows before continuing.
    · Double-click Look2Me-Destroyer.exe to run it.
    · click the Scan for L2M button, your desktop icons will disappear, this is normal.
    · Once it's done scanning, click the Remove L2M button.
    · You will receive a Done Scanning message, click OK.
    · When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    · Your computer will then shutdown.
    · Turn your computer back on.
    · Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
    =================================
    Fix these with HJT – mark them, close IE, click fix checked

    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll

    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)



    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\scrovfpo.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  7. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    Hey SC,

    OK, here goes:


    Look2Me-Destroyer.exe: I was able to copy Look2Me-Destroyer.exe the file to desktop, but then my system was too crippled to respond. csrss.exe going crazy with its bad self again. Forced to hard shut down.

    Powered up and went to normal mode. After desktop fully loaded, I ran Look2Me-Destroyer.exe. Well, the interface is a little goofy. Had to check the box "Run this program as a task" to enable the Scan for L2M button. After it closed itself and reopened, I was able to proceed to Scan for L2M.

    As you said, desktop icons vanished and the L2M-D application proceeded to scan. At the end, it posted a dialog stating Done Scanning. I clicked OK. There were no items shown in the dialog.

    I proceeded to select Remove L2M anyway. The system thought about that, then Spy Sweeper opened advising me that Look2Me was attempting to modify my Hosts file. I chose to allow. SpySweeper again alerted me to the same thing. I chose to allow again.

    Look2Me returned a message stating it was Done removing infected files, and it will now shutdown my computer. After OK, computer shutdown. I powered back up. My desktop reloaded.

    I didn't quite understand when you said "If Look2Me-Destroyer does not reopen automatically, reboot and try again." Everything seemed to work as expected, so I pressed on.

    I am including the Look2Me-Destroyer.txt and HJT log #4 below.


    HJT Removal: After saving HJT log #4, I selected the HJT item to Fix Checked as you indicated. I quit HJT and restarted for Safe Mode.


    Killbox.exe: On restart I booted to Safe Mode. I executed Killbox and proceded with the input and selection you indicated. It seemed to work - no errors. It advised me that the file would be deleted on reboot - do I want to reboot now? Well, your instructions seemed to indicate I should proceed with Temp removal while still in Safe Mode, so I chose No and proceed to next step.


    Temp removal: While still in Safe Mode, I deleted temp files you indicated. Most of the temp files were .jar files which I believe are being created by my pig HP printer software to manage my laserjet. That sucker seems to take 5 minutes at least to load on every reboot. I wish they didn't build that in Java and had a native Windows printer software install. Anyway, they seemed to be deleted. I proceeded to reboot for normal mode.


    Final HJT log: After booting to Normal Mode, I launched HJT, scanned and generated HJT log #5. It's included below.


    On the good side, I checked for scrovfpo.dll in C:\Windows\System32 after rebooting to Normal Mode and it is no longer there!


    On the bad side, I let the system sit for a bit, and now csrss.exe is using 99% CPU again! How to solve this one?


    Please let me know how to proceed from here.


    Thanks!

    Bartechie





    --HJT Log #4 Start--

    Logfile of HijackThis v1.99.1
    Scan saved at 12:02:01 PM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: ShBJjK - {74EA7AC9-DE40-D063-0014-4AE2840B4036} - C:\WINDOWS\System32\cgb.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

    --HJT Log #4 End--



    --Look2Me-Destroyer.txt Start--

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 7/18/2006 11:26:39 AM


    Attempting to delete infected files...

    Making registry repairs.


    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

    --Look2Me-Destroyer.txt End--



    --HJT Log #5 Start--

    Logfile of HijackThis v1.99.1
    Scan saved at 12:18:42 PM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\System32\xwntserv.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

    --HJT Log #5 End--
     
  8. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    Another possible explanation - this one, a potential hotfix regarding the csrss.exe 100% CPU problem, was posted on June 1, 2006 by Microsoft. This regards system behavior after installing Windows XP SP 2 (which I completed yesterday morning):

    http://support.microsoft.com/kb/890582/en-us

    Is this worth pursuing? Let me know your thoughts.

    Thanks!

    bartechie
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Hold off on that MS fix until we get the log clean

    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HJT – mark them, close IE, click fix checked

    O20 - AppInit_DLLs: sysiusrc.dll hhsedpvo.dll

    O20 - Winlogon Notify: scrovfpo - C:\WINDOWS\System32\scrovfpo.dll (file missing)

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\sysiusrc.dll
    C:\WINDOWS\System32\hhsedpvo.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  10. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    I contacted Microshaft and got the hotfix. Geez, this should be in Windows Update, if this is indeed the problem. Anyway, I called them and gave the article number I found and they rubber-stamped an email to me with the hotfix attached and a password to unlock it. I'll wait a few more minutes to see if you reply. If I don't here from you, I'm moving forward with the hotfix to see if it remedies my problem.

    I'm not trying to be snotty; I do appreciate your quick replies. But, I gotta push forward here and get this system up and running.

    Any thoughts before I proceed?

    Best,

    Bartechie
     
  11. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    Ha! You responded before I hit submit. I will hold off and do as you instructed first.

    You are on your game!

    Thanks,

    Bartechie
     
  12. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    OK, well here goes again:

    HJT: I tried to get a hold of my system, and it was almost locked again. csrss.exe has it by the dear ones. System almost completely non-responsive. Then, by the grace, I got desktop back. Proceeded to launch HJT.

    I did a scan only, because you didn't ask for log. System is deathly slow. Tried to remove the items. Got an HJT error, very similar to the one I reported before:

    HJT threw an error! "An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=020 - AppInt_DLLs: sysiusrc.dll hhsedpvo.dll)
    Error #5 - Invalid procedure call or argument.

    I hit OK to continue. It seemed to proceed. I scanned again just to check, and the two items appeared to be removed from list. I quit HJT and went to restart windows.

    Spy Sweeper hung again on shutdown - had to End Now. Then shutdown proceeded. I did hear a mysterious system beep during shutdown, as I reported before.


    Killbox: I booted into Safe Mode. I ran my Killbox (seemed to be the same URL you gave me before, so I didn't download it again). I picked the Delete on Reboot option and selected to kill the two files. I didn't choose to reboot as I thought you wanted me to proceed with next in Safe Mode before restart.


    Temp Files: Navigated to the directories you indicated and deleted all files. Noticed that all the .jar files I mentioned in my last post weren't there - don't know why. Thought that the HP printer software was creating those. Maybe not until it's launched. Hmm. I chose to restart to go back to Normal Mode.


    HJT Log: Started up in Normal Mode and waited for desktop to load. Proceeded to run HJT, scan, and generate a log. HJT log # 6 is attached below.


    Well, I let the system sit again for a few minutes to see about our old friend/nemesis csrss.exe. Low and behold, it started back up and is using 100% CPU again.


    It seems we got rid of a few more known nasties (I hope) but that I still have this csrss.exe issue. How to go from here? Is it time for the hotfix?


    Thanks again!

    Bartechie


    --HJT Log #6 Start--

    Logfile of HijackThis v1.99.1
    Scan saved at 2:02:06 PM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\xwntserv.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

    --HJT Log #6 End--
     
  13. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    I Kept overlooking this!!!!!!!!!!!!

    Fix these with HJT – mark them, close IE, click fix checked

    O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe
    ===================
    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find this exact name

    XWP_Services

    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.


    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\xwntserv.exe

    Boot and post a new log from normal NOT safe mode
     
  14. bartechie

    bartechie Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    12
    Okay... here goes again:


    HJT: Still in Normal Mode. Launched, scanned, checked, Fixed checked. Seemed to work.


    Services: Stopped XWP_Services. Set it to disabled. Rebooted.


    Killbox: Started in Safe Mode. Launched Killbox. Selected Standard Kill. Entered path as described and chose Kill. Confirmed. Received message that file was killed. Rebooted.


    HJT: Started in Normal mode. Ran HJT. Generated HJT log #7 (attached).


    Left system to its own devices for a few minutes to check on our little friend csrss.exe. Sure enough, it started claiming 99% CPU once again.


    How to proceed, oh wise one? Is it time to give it the hotfix goose?

    Hehe,

    Bartechie


    --HJT Log #7 Start--

    Logfile of HijackThis v1.99.1
    Scan saved at 2:57:19 PM, on 7/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [HP Display Settings] "C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" /s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
    O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: registration.excite.com
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.excite.com
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153155590709
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - https://secure.delucaliquor.com/suppliers/arview2.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --HJT Log #7 End--
     
  15. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go for the hot fix

    I assume that the eTrust is current and has the latest defs????
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484085

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice