Submit the following files to JOTTI to http://virusscan.jotti.org/ for possible viruses/Trojans detection analysis and immediate feedback:

HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here

C:\WINDOWS\SYSTEM\CSQOV.EXE
C:\WINDOWS\SYSTEM\CSGNT.EXE

Let us know what the results/details were for the file(s) in question.

Delete in SAFE MODE (see below) if found bad.




I am unsure which order you ran the scans for Panda and BitDefender and what was still found left behind.


BitDefender Summary:

Results

Identified Viruses
3

Infected Files
3

Deleted Files
2


C:\WINDOWS\SYSTEM\rdsndin.exe
Infected with: Trojan.Click.526

C:\WINDOWS\SYSTEM\rdsndin.exe
Disinfection failed

C:\WINDOWS\SYSTEM\rdsndin.exe
Delete failed

C:\WINDOWS\SYSTEM\ntfsnlpa.exe
Infected with: Trojan.Fakealert

C:\WINDOWS\SYSTEM\ntfsnlpa.exe
Disinfection failed

C:\WINDOWS\SYSTEM\ntfsnlpa.exe
Deleted

C:\WINDOWS\SYSTEM\hclean32.exe
Infected with: Worm.Worm.Gaobot.DR

C:\WINDOWS\SYSTEM\hclean32.exe
Disinfection failed

C:\WINDOWS\SYSTEM\hclean32.exe
Deleted


HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if still present):


DELETE FILES:
C:\WINDOWS\SYSTEM\rdsndin.exe
C:\WINDOWS\SYSTEM\ntfsnlpa.exe





POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

FYI, I ran the bit defender scan after the Panda.

Here is the jotti results.

For csgnt.exe:

Scanner Malware name
AntiVir Trojan/Spy.SCKeyL.p.4.B
ArcaVir Trojan.Spy.Sckeylog.P
Avast X
AVG Antivirus PSW.Generic.BT
BitDefender Trojan.Keylogger.61
ClamAV Trojan.SCKeylog-6
Dr.Web Trojan.KeyLogger.61
F-Prot Antivirus W32/SCkeylogger.E@spy
Fortinet HackerTool/SCKeyLog.P
Kaspersky Anti-Virus Trojan-Spy.Win32.SCKeyLog.p
NOD32 Win32/Spy.SCKeyLog.P
Norman Virus Control W32/SCKeyLog.P
UNA Trojan.Spy.Win32.SCKeyLog
VBA32 Trojan-Spy.Win32.SCKeyLog.p


csqov.exe...I don't see this one anywhere on the C drive. But there is one called csajr.exe. I tried to submit this one, but I got a message that the file was already in use and I must exit the application that is using first.

I'm now going to remove this file and the other two you listed in safe mode.

I removed the following files in safe mode:

rdsndin.exe
ntfsnlpa.exe

(I've removed these files before...they just come back again. Here is a thread with the same problem http://www.d-a-l.com/help/showthread...8091#post78091 ) Incedentally, I've done the fixwareout utility that that thread describes with no results.

I also removed csgnt.exe.
Could not find csqov.exe or csajr.exe this time.

Here is the HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:04 AM, on 12/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\Winmodem.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\N32RMD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DOWNLOAD\OTHER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Norton AntiVirus Reminder] C:\PROGRA~1\NORTON~1\N32RMD.EXE /RES
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [Winmodem] Winmodem.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab

csgnt.exe is reported to be a 'KEYLOGGER' - these can be tough buggers to find and completely eradicate.

Make a copy of csajr.exe and submit it to JOTTI. Try deleting the file in SAFE MODE if it is found to be malware.


Are these two (2) files finally gone or have they returned?
rdsndin.exe
ntfsnlpa.exe

None of those files are on the C drive...for now....I'll post if they return.