Run HJT again and checkmark the boxes next to the following:-

O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vrssys.dat
O4 - HKLM\..\RunOnce: [*syssrv] C:\WINNT\Cursors\syssrv.exe rerun
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\AppPatch\expsys.exe ren my_time:1107528267

Close ALL windows & browsers and click FIX CHECKED




Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.


Delete the following files in bold:

C:\WINNT\Cursors\syssrv.exe
C:\WINNT\AppPatch\expsys.exe

Then go to C:\Documents and Settings\Administrator\Local Settings\Temp and delete everything inside the Temp folder but leave the folder intact.


Reboot and run an online virus scan at TrendMicro and RAV. Let them fix/remove anything they find. Copy and paste the results of each in your next reply along with a fresh HJT log.

Thanks, here is my new log, I ran the 2 virus scans and they both said that I have a clean system.

I do not have c:\WINNT\Cursors\syssrv.exe
C:\WINNT\AppPatch\expsys.exe
on my system.

Heather

Logfile of HijackThis v1.99.0
Scan saved at 3:29:29 PM, on 2/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Help\dnswave.exe
C:\WINNT\system32\PELMICED.EXE
C:\WINNT\system32\Ibmmon.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Reflection\r2win.exe
C:\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://dealerconnect.chrysler.com/d...troller/Portal
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rvsalue.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawsnd.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Ibmmon.exe] Ibmmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunOnce: [*dnswave] C:\WINNT\Help\dnswave.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

The files seem to have morphed. Time for the strong arm tactics

The following removal tool doesn't always work but it's best to try it first.

Download the Symantec Virtumonde Removal Tool from here.

Once it's downloaded, reboot in Safe Mode and run the tool to scan your machine. It will remove any files that it finds.


Then run HJT again and remove the following:

O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rvsalue.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawsnd.dat
O4 - HKLM\..\RunOnce: [*dnswave] C:\WINNT\Help\dnswave.exe rerun

Reboot and post a fresh log.

If you still have this problem after running the removal tool, we'll tackle it with a manual fix.

Thanks, here is my new log.


Logfile of HijackThis v1.99.0
Scan saved at 11:02:00 AM, on 2/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Help\dnswave.exe
C:\WINNT\system32\PELMICED.EXE
C:\WINNT\system32\Ibmmon.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://dealerconnect.chrysler.com/d...troller/Portal
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawsnd.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Ibmmon.exe] Ibmmon.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunOnce: [*dnswave] C:\WINNT\Help\dnswave.exe rerun
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{12332008-AAAD-4BF1-86BD-489C04D6434F}: NameServer = 198.164.30.2,198.164.4.2
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Time for the manual fix then

Please download Killbox from here

The 2 files we need to shift haven't changed in your last log. In case they have when you come to do this manual fix, please run HijackThis first to confirm they are still the same.

Currently:

O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawsnd.dat
O4 - HKLM\..\RunOnce: [*dnswave] C:\WINNT\Help\dnswave.exe rerun

Note the * denotes the problem 04 entry above [*dnswave]

This infection will always install c:\windows\system32\bkinst.exe and sometimes a file called c:\windows\system32\host.exe that will not show up in the HijackThis log.


1. Unzip Killbox to your desktop and then double-click on Killbox.exe to start the program.

2. In the killbox program, select the 'Delete on Reboot' option.


3. In the field labeled 'Full Path of File to Delete' enter the name of the first file I listed above (or whatever it may have changed to when you checked). Currently:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evawsnd.dat


4. Press the button that looks like a red circle with a white X in it. When it asks if you would like to Reboot now, press the NO button.


5. Redo steps 2-4 for the other file I listed above which is currently:
C:\WINNT\Help\dnswave.exe


6. When those files are completed, do steps 2-4 again and enter the file c:\windows\system32\hostx.exe as the filename to delete. When it asks to reboot you should press NO this time.


7. Now do steps 2-4 again but this time enter the last file c:\windows\system32\bkinst.exe as the filename to delete. When it asks to reboot you should press YES this time.


8. After the computer reboots run HijackThis again and press the Scan button. Put a checkmark next to each of the entries I listed above and click Fix Checked.


9. Reboot again and post a fresh log.