I have tried to get this off of my computer and cant. I have tried everything I can think of besides messing with the registry to get it off.

Any help to get this off my computer would be nice. It has totally taken over and makes anything to deal with using it very annoying of the simplest tasks.

Ok.

First, go here and do a scan - it will clean 80% of the spyware and crap up, but not all of it - please make a note of what trojans/viruses/worms/spyware it finds that are NOT a "cookie":

http://housecall.trendmicro.com

Do a full scan for viruses and spyware, cleanup whatever it finds, then reboot your computer.

Next, download this software (right-click the link and "save as"):

http://216.180.233.162/~merijn/files/HijackThis.exe

Save it to somewhere safe on your computer like your desktop or the Program Files folder. Run the software. Choose "Scan and Save Logfile". Copy the entire logfile contents and paste it in here, The contents of the logfile will tell me:

A) Whether you did the scan I told you to
B) What version of Windows you're running and how up-to-date it is
C) What is infecting your computer still
D) Other ways I can help you speed up your computer

I'm about to go to sleep, but will get a response to you by tomorrow afternoon if you can finish the cleanup and scan a logfile for my by morning.

First question, what is the OS?

XP Home edition

I couldnt get housecall to work it just shut down IE when it tried to install. I did get ewido to work but I dont think it got it all out and the file keeps installing itself so the program goes round an round with that. Im going to try safemode and do a scan that way and see if it works. Did get the log file tho.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:14 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\AMERIC~2.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpC232.tmp
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Ok, your system has definitely been hijacked. The hijacker is loading on boot and preventing you from doing simple stuff like scanning online for viruses.

Print this out (or copy and paste it into notepad/Wordpad/whatever)

Close all open programs, including Internet Explorer.
Open Hijackthis.
Choose "Scan only".
After the scan completes, put a checkmark next to each of these lines:


O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpC232.tmp

O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll

O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

Verify you got every single line above with a checkmark next to it, then click the FIX button in Hijackthis.

Reboot. Open Hijackthis again, choose "Scan and save logfile" again and post the latest logfile for me. It's possible this guy is going to mutate, so I want to see if it installs anything else on its way out.

I have still have this CM sponsored link that highlights different words in text.

I have a few desktop short cut icons left.
A) is Online Security Guide linked to http://securitylist.net/.
B) is Security Troubleshooting linked to http://testsecurityonline.com/
C) is SpywareStrike targeted to "C:\Program Files\SpywareStrike\SpywareStrike.exe" and start in "C:\Program Files\SpywareStrike"

I got that by right clicking and going to properties. Ewido is still alerting and finding things I have it clean them and they goto quarantine then deleted.

Logfile of HijackThis v1.99.1
Scan saved at 11:27:58 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27575082-3D81-243F-F6C6-0E8E08E15F76} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {295E50B6-8B5A-0C24-381B-36472E03840E} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {49FF5E16-9BA7-5D99-F290-4BED41EE2367} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {700D7CDC-BD00-7DA4-A82D-1EE247B31496} - http://85.255.113.214/1/gdnUS2296.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

You are infected with Spyaxe/SpywareStrike. This program uses a recent hole that I posted about in the General Discussion forum where your computer can be exploited just by looking at a picture online or sent in an email while surfing the web or opening attachments. A recent patch was released to Windows Update which fixed this.

Run Hijackthis again. Make sure that every single program is closed on your computer, *especially* Internet Explorer (including this window!). Put a checkmark next to this line and fix it:

O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll


Reboot in safe mode.

Delete these folders and/or files from your computer while in safe mode:


C:\Windows\Downloaded Program Files\gdnUS2296.exe (file)
C:\Windows\Downloaded Program Files\CONFLICT.1 (folder)
C:\Windows\System32\ld6716.tmp (file)
C:\Documents and Settings\user\Local Settings\Temp\ (everything inside this folder - BUT leave the folder there!)

Scan with Ewido in safe mode and "remove" everything it finds.

Reboot into normal mode. Remove any icons on your desktop that do not below. If there is a C:\Program Files\SpySherrif folder, delete it.

Once you're done, please click on that Housecall link again and try to scan. It should work.

Next, run this tool from Microsoft to make sure you don't have anything reaaaaally really nasty:

http://www.microsoft.com/security/malwareremove/default.mspx#run

Post another Hijackthis logfile for me. Let me know if Ewido still finds stuff after you reboot.

I used HJT to remove the BHO. I restarted in safemode. I couldn't find C:\Windows\Downloaded Program Files\gdnUS2296.exe (file) C:\Windows\Downloaded Program Files\CONFLICT.1 (folder). But I did find something that had numbers and no install date there was about four of them so I was looking at them and it was the gdnUS2296.exe deleted those. Got rid of the tmp file and cleaned out the temp folder. Would it help to have my cable modem off during these cleaning attempts to stop Internet access?

Ran Ewido and did a clean up. Restarted then did the Housecall site, it worked this time a little better but it didn't finish I guess. I was almost finished then I left the computer and came back and IE wasn't there it closed itself or shut down. Now I have a Security Toolbar in IE that wasn't there before. I'm going to try House call again. It takes an hour sometimes longer just to do a scan with any of the scans I do. Besides HJT being the exception. I did get to the mircosoft scanner and it reported that nothing was found. I'm still getting alerts from Ewido that gdUS2296.exe keeps installing or getting found.

Here is the most recent log but Im still working on getting this mess worked out. Its like a spinning log caught in the under tow of a dam.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:53 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\PROGRA~1\AMERIC~2.0\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: (no name) - {6379A99A-9102-446C-A837-0623E1810D75} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05ED1586-F021-4A58-B9FB-2F237AE76A26} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1AFBF6E1-11AF-410E-33AE-32341D36C4B7} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Yes. Unplug the computer. That damned CM Loader crap is on there again. Let me try to find a removal tool somewhere...

I see this is gonna be fun to get rid of. It's a new version of that file. Stick with me, we'll get it eventually. This thing is stubborn!

For now, let's do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.

Please open notepad, copy the bolded text below, just as it appears, then paste it into the blank notepad.

dir %windir%\system32 /a:-d /o:-d >files.txt
cls
exit

Close it, and save it to the drive somewhere you will remember (like the desktop) as:

Filename: files.bat
Save As Type: All Files

Now, double click the file to run it. It will create files.txt, also in C:
Please copy the information in that log for all files dated in the past 30 days here. They will be at the top of the list.

Look in the folder/place where this *.bat file was saved and look for a new file called files.txt. Please paste the contents of the file here.

Finally....

Open C:\Windows\Prefetch\ folder and Delete ALL files in this folder.
Close all windows and browsers (including this one)
Open HijackThis
Click on "Open Misc Tools"
Click on "Delete a File On Reboot"
Click once on either of the files below to select them if they exist:

C:\Program Files\Crystalys media\cm.dll
C:\Program Files\Security Toolbar\Security Toolbar.dll
C:\WINDOWS\System32\netwrap.dll

I finally got House call to work it deleted some things I dunno what tho. I ran Then restarted and ran House call again. Ewido again and get 3 things still coming up. For the most part now all I see of the virus is just when Ewido alerts me of its files or it reinstalling itself.

A)C:\Windows\Downloaded Program Files\gdnUS2296.exe
B)C:\Documents and Settings\user\Cookies\user@a2o7[1].txt
C)C:\Windows\System32\_delete_on_reboot_Id16A.tmp
There was another one but it couldnt fix it so only was in the quarantine for a little bit then I guess refreshed. So I seen it but I dunno what it was.

I deleted all the cookies and Internet files in IE with Internet options. Then did a new HJT log. I still have to do what you posted last but I'm working on it.

Logfile of HijackThis v1.99.1
Scan saved at 1:19:19 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AMERIC~2.0\shellmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\WINDOWS\system32\1024\ld4C84.tmp
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EDADBF2-E29F-431F-EAF6-26DA520D5FC6} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {4D07535A-0C83-6F48-19DF-6F3619C20BB7} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {653D5EA3-B627-2852-0D6B-605B46A81D82} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7AE56CC4-3EF4-4893-1A28-604C480C79A5} - http://85.255.113.214/1/gdnUS2296.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Until you do what I've posted above, please don't post another log. You're going to keep seeing the same thing. We need to nuke the cm.dll and any associated DLL's - every time you reboot, the thing reinstalls itself on shutdown. IT won't do any good to run anymore scans, it's just going to keep reinstalling. The tips I've given in my last post will help up pinpoint the problem and break the cycle.

I will get the latest plan of attack under way soon. You have been very helpful and I thank you.

I did see C:\Program Files\Crystalys media\cm.dll (deleted for now)
C:\Program Files\Security Toolbar\Security Toolbar.dll (deleted for now)
C:\WINDOWS\System32\netwrap.dll (only thing I seen close was netrap.dll)

Volume in drive C has no label.
Volume Serial Number is 24BA-00FB

Directory of C:\WINDOWS\system32

01/26/2006 02:51 AM 21,001 __delete_on_reboot__ldB9BA.tmp
01/26/2006 02:50 AM 11,750 kspydoc.log
01/26/2006 02:50 AM 0 Sweeper.cfg
01/26/2006 02:19 AM 5,140 ncompat.tlb
01/25/2006 08:01 AM 1,158 wpa.dbl
01/25/2006 06:33 AM 5,120 msvol.tlb
01/24/2006 01:46 PM 4,286 ot.ico
01/24/2006 01:46 PM 4,286 ts.ico
01/23/2006 11:41 PM 13,877 mscornet.exe
01/04/2006 10:41 PM 2,827,616 MRT.exe
12/28/2005 09:54 PM 280,064 gdi32.dll
12/20/2005 05:26 PM 6,617 jupdate-1.5.0_06-b05.log
11/30/2005 10:59 PM 1,492,480 shdocvw.dll
11/23/2005 08:06 PM 3,015,680 mshtml.dll
11/23/2005 08:06 PM 1,022,464 browseui.dll
11/11/2005 05:54 AM 380,680 perfh009.dat
11/11/2005 05:54 AM 52,968 perfc009.dat
11/11/2005 05:54 AM 439,376 PerfStringBackup.INI

When I restarted I got an alert of C:\Windows\System32\ldB9BA.tmp then the gdnUS2296.exe in C:\Windows\Downloaded Program Files

Hope I did everything right

Ok, we have more serious problems than I thought. If you open the kspydoc.log file, I think you will notice that this little spyware bugger is logging all of your keystrokes (everything you type). Passwords - login info - banking info - emails - you name it.

You are currently infected with a trojan called ZLOB. mscornet.exe is a process which is registered as the Troj/Zlob-AO Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Someone has likely been on your computer and you have most likely been "hacked".

We can do this! We can get rid of it. Just hang in there...and understand that if you don't understand a real antivirus program after all this is over with, I'll shoot you! ;)

These files are bad and they are the ones we need to get rid of - we will use Hijackthis to do so...

Close all windows and browsers (including this one)
Open HijackThis
Click on "Open Misc Tools"
Click on "Delete a File On Reboot"
Click once on each of the files below to select for deletion at next reboot:

C:\WINDOWS\system32\Sweeper.cfg
C:\WINDOWS\system32\kspydoc.log
C:\WINDOWS\system32\ncompat.tlb
C:\WINDOWS\system32\msvol.tlb
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\mscornet.exe
C:\WINDOWS\system32\jupdate-1.5.0_06-b05.log

C:\Windows\System32\ldB9BA.tmp
C:\Windows\Downloaded Program Files\gdnUS2296.exe

C:\Program Files\Crystalys media\cm.dll (if it exists)
C:\Program Files\Security Toolbar\Security Toolbar.dll (if it exists)


Now, reboot your computer. After the reboot, do two things for me:

1) Delete that "files.txt" file from earlier. Now, run that "files.bat" file we made to create a new files.txt then give me the contents of it.

2) Give me another Hijackthis logfile.

I know it might seem like we're not getting anywhere, but I assure you we're getting closer. Hang in there, we'll get this done. You just gotta stick around :)

Volume in drive C has no label.
Volume Serial Number is 24BA-00FB

Directory of C:\WINDOWS\system32

01/26/2006 04:59 AM 890 kspydoc.log
01/26/2006 04:58 AM 0 Sweeper.cfg
01/25/2006 08:01 AM 1,158 wpa.dbl
01/04/2006 10:41 PM 2,827,616 MRT.exe
12/28/2005 09:54 PM 280,064 gdi32.dll
11/30/2005 10:59 PM 1,492,480 shdocvw.dll
11/23/2005 08:06 PM 3,015,680 mshtml.dll
11/23/2005 08:06 PM 1,022,464 browseui.dll
11/11/2005 05:54 AM 380,680 perfh009.dat
11/11/2005 05:54 AM 52,968 perfc009.dat
11/11/2005 05:54 AM 439,376 PerfStringBackup.INI
11/11/2005 03:05 AM 127,704 FNTCACHE.DAT
11/10/2005 01:03 PM 127,078 javaws.exe
11/10/2005 01:03 PM 49,265 jpicpl32.cpl
11/10/2005 11:27 AM 49,250 javaw.exe
11/10/2005 11:27 AM 49,248 java.exe
11/04/2005 10:16 PM 609,280 urlmon.dll
11/04/2005 10:16 PM 1,054,208 danim.dll
11/04/2005 04:27 PM 534,280 LegitCheckControl.DLL

Logfile of HijackThis v1.99.1
Scan saved at 2:36:50 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EDADBF2-E29F-431F-EAF6-26DA520D5FC6} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C9F7634-7AB6-3614-A696-363463D285CA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {49907D9E-15CB-2E0F-788F-50587124BE6D} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4D07535A-0C83-6F48-19DF-6F3619C20BB7} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {653D5EA3-B627-2852-0D6B-605B46A81D82} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {68F5ADB2-6064-1E9D-C904-3B00501481C7} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7AE56CC4-3EF4-4893-1A28-604C480C79A5} - http://85.255.113.214/1/gdnUS2296.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Ok, well you got rid of the spyware part of it but it's a downloader, so it will keep grabbing stuff and installing it on your system, so we need to kill the trojan part of it. I still notice a couple of things in there which are bad and suggest you've got the Zlob trojan on your system...I am going to give you a removal tool, we need big guns to cut the head off the snake :)

Download smitRem.exe (link: http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 ), saving the file to your desktop. Double click it to extract the contents to a folder of it’s own. Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool.

Follow the prompts on screen and allow disk cleanup to complete. Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

If any part of using that tool is confusing, here is a picture-by-picture explanation:

http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

Please follow those instructions at that webpage exactly.


Once you're done with that, open HijackThis. "Fix" any of these lines that exist and reboot. Give me another logfile when you get back up and going:

O16 - DPF: {0EDADBF2-E29F-431F-EAF6-26DA520D5FC6} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {3C9F7634-7AB6-3614-A696-363463D285CA} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {49907D9E-15CB-2E0F-788F-50587124BE6D} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {4D07535A-0C83-6F48-19DF-6F3619C20BB7} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {653D5EA3-B627-2852-0D6B-605B46A81D82} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {68F5ADB2-6064-1E9D-C904-3B00501481C7} - http://85.255.113.214/1/gdnUS2296.exe

O16 - DPF: {7AE56CC4-3EF4-4893-1A28-604C480C79A5} - http://85.255.113.214/1/gdnUS2296.exe

Logfile of HijackThis v1.99.1
Scan saved at 8:46:44 PM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\PROGRA~1\AMERIC~2.0\waol.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AMERIC~2.0\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Think I got it. What kind of software do you recommend to start using? I think Ewido is okay? Something knocked out my printer but I got the drivers for that if need be. Im still wondering if its hiding or if its gone.

Ok, it looks like it's gone. Wasn't THAT a pain in the ass?! :D

Three last steps for you - we ain't done yet! Please follow these in strict order.

1) Turn off and turn back on System Restore - Windows keeps a copy of these bad files thinking that they are "system" files...so by turning it off and back on, you will permanently purge the backup copies of these files it's keeping. Instructions on how to turn it off/on: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

2) Run Ewido security scanner. Make sure it doesn't find anything.

3) Please delete the files.txt file, re-run files.bat and post the contents here so I can make sure all the bad files are gone completely - you can post the contents after running all these steps.

If everything is clean, you will need to change all of your passwords on your computer and ... well, just be aware that someone was catching all of the things you typed on your keyboard, so there's no telling what they know about you by now. Not only that, but they are able to log into your computer right now and use it probably ... that's not good! Changing your passwords should help keep them at bay.

As for software, you need better antivirus. AVG is free and worth having. If you are OK with paying for a solution that is the best on the market, Google for "NOD32", it is pretty much the creme of the crop antivirus solution. Otherwise, the free version of AVG is available here: http://free.grisoft.com/softw/70free/setup/avg71free_375a691.exe

I like Ewido a lot ... I also really like SpySweeper a lot. Both are great programs .. but there is no one-stop shop for virus and spyware protection - you really need at least 2-3 programs running on your machine these days to keep you safe. This, combined with always installing your Windows Updates and antivirus updates daily or every couple of days at least, should keep you from getting more crap like this.

The thing you were just infected with was something I'd posted warning people about in the public forum. A lot of people blew it off :D This is very common behavior these days and it's partially why I have a job - people think they're invincible, then they pay me out the ass when someone steals their passwords, banking info, identity...their computer...you name it. Just be smart about where you surf, what you download, never click on strange popups, free software(smileys, weather stuff, filesharing software, you name it) is BAD and also installs crap like this.

If you ever have probelms again, lemme know, I'm happy to help anytime. Meanwhile, get #1-3 doen up there please and we'll move along and close this one out.

More good news. Wash rinse repeat?

Volume in drive C has no label.
Volume Serial Number is 24BA-00FB

Directory of C:\WINDOWS\system32

01/26/2006 09:30 PM 6,416 kspydoc.log
01/26/2006 09:30 PM 0 Sweeper.cfg
01/25/2006 08:01 AM 1,158 wpa.dbl
01/04/2006 10:41 PM 2,827,616 MRT.exe
12/28/2005 09:54 PM 280,064 gdi32.dll
11/30/2005 10:59 PM 1,492,480 shdocvw.dll
11/23/2005 08:06 PM 3,015,680 mshtml.dll
11/23/2005 08:06 PM 1,022,464 browseui.dll
11/11/2005 05:54 AM 380,680 perfh009.dat
11/11/2005 05:54 AM 52,968 perfc009.dat
11/11/2005 05:54 AM 439,376 PerfStringBackup.INI
11/11/2005 03:05 AM 127,704 FNTCACHE.DAT
11/10/2005 01:03 PM 127,078 javaws.exe
11/10/2005 01:03 PM 49,265 jpicpl32.cpl
11/10/2005 11:27 AM 49,250 javaw.exe
11/10/2005 11:27 AM 49,248 java.exe
11/04/2005 10:16 PM 609,280 urlmon.dll
11/04/2005 10:16 PM 1,054,208 danim.dll

Well, hijackthis log is showing nothing, but I see ti has left behind at least one or two harmless files. You can manually go into the system32 folder and delete these files and I suggest doing so ... if it won't let you delete them, they might still be in use and will need to be killed:

kspydoc.log (this is where the spyware was saving your keystrokes)
Sweeper.cfg (I don't know what this is..but was created @ same time as keystroke log)

After you delete them, please reboot your machine and make a note of whether either one comes back

The reason I am concerned is because both were created at 9:30pm, same time, which was probably at your last reboot ... which means they started at boot, which means something could still be hiding on your computer.

Im soooo tired of this thing... I couldnt get rid of the kspydoc.log or sweeper.cfg.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:59:55 PM, 1/26/2006
+ Report-Checksum: 4C881823

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoChangingWallPaper -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoAddingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoDeletingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoEditingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoCloseDragDropBands -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoMovingBands -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoHTMLWallPaper -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoThemesTab -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispAppearancePage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoColorChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoSizeChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispBackgroundPage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispScrSavPage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispCPL -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoVisualStyleChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-1526122608-3774869411-1003015681-1005\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispSettingsPage -> Trojan.Small : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:08:06 AM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\program files\common files\aol\1120454141\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1120454141\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120454141\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120450419859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I really want to help you further, I know for a fact that you have a trojan on your machine and something is logging your keystrokes. This is typically the time when I would tell someone to do one of two things:

1) Use the system restore feature in Windows XP to roll back to a date prior to receiving the infection (if possible).

2) Format and reinstall.

I could probably lick your problem if I was in front of your machine, but it's too complicated to instruct you on how to fix it over the internet.

You have something on your machine that is as of yet not fully documented and it is a "downloader" which means every time it runs, it downloads more bad stuff from the internet and installs it on your machine.

Your case is a classic example of why it is so important to have up-to-date antivirus, to visit Windows Update daily to download new patches and to have at least one or two anti-spyware/anti-trojan scanners running on your computer.

I wish I could provide more information for you. The only other thing I can tell you to do before you format and reinstall (be sure to backup your files) is this:

1) Go download The Cleaner from www.moosoft.com - install it, update the software and scan your machine. Scan it first in regular mode and the next time in safe mode.

2) Go download UnHackMe (link: http://www.greatis.com/unhackme.zip ) This tool is effective in detecting and getting rid of several rootkits that are out there today. You might want to try running it in normal mode and safe mode.

3) Use this rootkit revealer information and download (link: http://www.sysinternals.com/Utilities/RootkitRevealer.html ) I would like to see a capture of what it finds on your computer.

The real way to tell if the threat is off your machine will be whether you can remove those two bad files without a problem.

Let me know if I can help any more than what I have. I would like to see this thing gone and know that we managed to beat it, but ... I'm not getting my hopes up this time around. I don't know what it has installed on your machine. I'm pretty certain I know how you got it, but the bad thing about "downloaders" is you never know what the heck they're gonna install.