Hi Everybody :cool:

Sys: w2k, 120HD, 256ram, generic sys

I have w32.randex worm in my system in scardclnt.exe file. I went to symantec and got some info how to delete the work. Updated Norton Antivirus, scaned found this worm, could not delete. Per instructions, did this: start>run, typed regedit,
Navigated to the key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION and looked for any file withw32.randex but found none. Same way checked other ones (RUNONCE & RUNSERVICES). What else I should do? :confused:

Thanks.

Try downloading the stinger (http://vil.nai.com/vil/stinger/), and see if that will remove it.
You could also try an on line scan at either Housecall (http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php) or Panda A/V (http://www.pandasoftware.com/activescan/com/activescan_principal.htm). Let it fix anything it finds.

If that does not clean it, then download http://www.merijn.org/files/hijackthis.zip
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan and save log".

When the scan is finished, the log will open in Notepad. Do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

I agree Stinger should help, but wanted to point out a few things:
Download Stinger to a clean PC, get it transferred to a floppy and Write-Protect it. Disconnect the infected PC from the network or Internet, boot into SAFE mode (F8) and run the scan in SAFE mode. This is a network-aware worm that will spread to unprotected machines on a network. If you have any others, they will have to be cleaned the same way to be certain the infection is stopped.
There are over 2400 variants of Randex, what exactly did Norton call yours?

Thanks guys. I did like you suggested, but it was still showing soon after boot and not going. Here I got the file thru hyjackthis:

Logfile of HijackThis v1.97.3
Scan saved at 8:18:39 PM, on 6/6/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\sys1\LOCALS~1\Temp\Rar$EX00.312\Hijack This.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [loaddll] loaddll.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: EReg.lnk = C:\WINNT\EReg206\Reg32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38484.4818171296

You can fix this with HJT, but it is probably only the tip of the iceberg:

O4 - HKLM\..\Run: [loaddll] loaddll.exe

You will need to find that file and delete it as well....

You are using a VERY old version of HJT and it is probably missing most of the problem... Download version 1.99.1 and post a log from it...

http://www.downloads.subratam.org/hijackthis.zip

Also, did you intentionally install a keylogger on this system?? This is associated with one... Do NOT fix it with HJT or you could lose your ability to use the internet:

O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing

Thanks once again. Which application/file is keylogger? I am not sure. I can still use internet, will it cause future problems?
Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:30 PM, on 6/8/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\sys1\LOCALS~1\Temp\Rar$EX00.563\Hijack This.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [loaddll] loaddll.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: EReg.lnk = C:\WINNT\EReg206\Reg32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

I am afraid I missed this last time... It is part of randex, so please find it and delete it...

C:\WINNT\System32\SCardClnt.exe

If you can't find it or delete it... Open HJT, go to Config and then to Misc Tools and use the "delete on reboot" option to enter the whole location and file... Click through to close HJT and reboot...

Open HJT again and put a check by:

O4 - HKLM\..\Run: [loaddll] loaddll.exe

Close all open windows windows except HJT and click Fix check... Find and kill that file if at all possible... You may need to set windows to show all hidden files to find it:

To configure Windows to show all files

1. Do one of the following:
* In Windows 2000, on the Windows desktop, double-click the My Computer icon.
2. Do one of the following:
* In Windows Me/2000/XP, on the Tools menu, click Folder Options.
3. On the View tab, uncheck Hide file extensions for known file types.
4. Do one of the following:
* In Windows Me/2000/XP, uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
5. If you see a warning message, click Yes.
6. Click Apply.
7. Click OK.

Reboot again and post a fresh HJT, but first :

Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Please note if you are still having any problems when you post back....

Thanks, I will try this week end. Have a good week end.

Hi Budfred, how was your week end?????????
This is what I did: I downloaded mwav file and scaned. I could not copy and paste the log, it came up with 5 files including couple trozan files. Here I am attaching hjt file. Per your instructions, delete on boot did helped, I don't see that pop up again about the virus, does it mean I got ride of it :) , I hope so. Please see attached

Hi Budfred, how was your week end?????????
This is what I did: I downloaded mwav file and scaned. I could not copy and paste the log, it came up with 5 files including couple trozan files. Here I am attaching hjt file. Per your instructions, delete on boot did helped, I don't see that pop up again about the virus, does it mean I got ride of it :) , I hope so. Please see attached:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:30 PM, on 6/12/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\sys1\LOCALS~1\Temp\Rar$EX01.609\Hijack This.exe
C:\WINNT\System32\rpcclient.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: EReg.lnk = C:\WINNT\EReg206\Reg32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9758AFD-120D-45A7-8472-381D0EDC3EC5}: NameServer = 198.6.100.218 198.6.1.218
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

I am afraid I am somewhat limited at the moment because I am on dialup from my laptop at a conference until Tuesday night... It would really help to see that MWavScan... Did you use Ctrl-C like I said in the instructions... It will not Copy with a Right click...

Sorry Budfred, I was busy with graduation parties and then work related issues. I did not get a chance to follow your instructions and post here. Please forgive me, I will it soon. Thanks :D

Hi Budfred, you still remember me..... :cool:
Sorry I am late and lazy. I tried to use 'ctrl-c, I got a beep sound, yes, right click does not work. Then I had to write it down the whole thing, can you believe it!!! Here it is:

Object "Alexa Spyware/Adware" found in file system! Action Taken: No Action Taken.

Entry "HKLM/Software\Microsoft\Windows\currentVersion\Shared Dlls" referes to invalid object c:\programfiles\Ahead\NeroBackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.

File C:\WINNT\System32\eqst.exe infected by "Trojan-Proxy.Win32.Randy.z" virus. Action Taken: No Action Taken.

File C:\WINNT\System32\KYSVCXD.EXE infected by "Trojan-Spy.win32.Rbot.mg" virus. Action Taken: No Action Taken.


File C:\WINNT\System32\Winole.EXE infected by "Backdoor.win32.codbot.z" virus. Action Taken: No Action Taken.

File C:\WINNT\System32\WWW.EXE infected by "Backdoor.win32.codbot.z" virus. Action Taken: No Action Taken.

Hope this log help you to advise. At first I had internet on, log in to pcguide then open MWav scan, got the log, could not copy and paste, so I disconneted internet, manually write it down the log and when I was ready to go back to internet, I could not log in. So I am using another system to log in and post this log. I have no idea why I could not use earlier system. :confused:

There are a few files there to kill... Please download and set up KillBox:

http://www.downloads.subratam.org/KillBox.zip

Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...

C:\WINNT\System32\eqst.exe
C:\WINNT\System32\KYSVCXD.EXE
C:\WINNT\System32\Winole.EXE
C:\WINNT\System32\WWW.EXE

Reboot and run an HJT scan and another MWavScan... Post them both back here and hopefully you will be cleaned up... You may need to do some major work changing passwords and such given how long these things have been on your system...

Happy 4th July to all in USA.
I just came back from picnic, tired playing valleyball with young kids thinking that I am also young, well at least I am young at heart. :D

Anyway, lets talk turkey... first thank you very much for the reply thought it was a big scary one. Can I reformat this whole hd, I been having problems ever since. If I do that, do you think I can eleminate all these problems????

Reformatting will eliminate the malware if you don't have it backed up somewhere and end up restoring it... However, if your passwords and other confidential info has been stolen, it is too late to do anything about that... I suggest finishing the cleanup here and then changing any info that might have been stolen...

Thanks for the reply. Like you said I will cleanup this week end and keep you posted..

Hi Budfred
Back to again. This time copy and paste work for MWavScan. Please see hjt log and mwav log:

Logfile of HijackThis v1.99.1
Scan saved at 7:49:23 PM, on 7/18/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\download\hjt file\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: EReg.lnk = C:\WINNT\EReg206\Reg32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe


MWAV LOG

Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls"
refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.

Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\WINNT\System32\eqst.exe infected by "Trojan-Proxy.Win32.Ranky.z" Virus! Action Taken: No Action Taken.

File C:\WINNT\System32\KYSVCXD.EXE infected by "Trojan-Spy.Win32.Rbot.mg" Virus! Action Taken: No Action Taken.

File C:\WINNT\System32\winole.exe infected by "Backdoor.Win32.Codbot.z" Virus! Action Taken: No Action Taken.

File C:\WINNT\System32\[url]www.exe[/url] infected by "Backdoor.Win32.Codbot.z" Virus! Action Taken: No Action Taken.

Yes, I did installed Killbox and had to enter each file at a time after that selected option 'kill', then I rebooted it. All this process taken place during safe mode time. Please advise. Thanks

I am sorry, but I don't understand... Are you saying this is the MWavScan before you did the KillBox deletions?? If not, you will need to try them again... If you do, try them in a block and see if they work that way... It may not look like they all copied, but they usually do... If they are still there in the MWavScan, you could try them one at a time, but don't reboot between each one...

Also, did you intentionally install a keylogger on this machine... If you didn't, you have another spy...