This isn't for me, it's my neighbor. Avast pops up every five minutes or so with a couple files (that can't be deleted) and then it blocks access to a few other files, on which the only option is to "abort connection". I did all the steps I could find in this thread. (http://forums.spybot.info/showthread.php?t=5490)

Here are my logs.

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B06D66F5E62E-CCC8-B3A4-E3F4-170FAAAE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9FD2615973F1-161B-3BB4-0C34-1FA27DE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E7ED24D14239-41A8-4C34-469C-8EF5DD4B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B8F0BF48E63D-614B-0914-7518-117D872C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F7FE894CEC5-0539-1134-3024-7A9BCA57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32849DF42C57-23FB-6514-40BC-21267938{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wpamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4DF5C3186911-32EA-7504-A670-49C42B2B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7ED691696AF6-14BB-77A4-87C3-B584C209{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmapw.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSCQD.EXE
* csr.exe C:\WINDOWS\System32\CSDQB.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCQD.EXE 51,218 2006-07-18
C:\WINDOWS\SYSTEM32\CSDQB.EXE 51,218 2006-07-18
C:\WINDOWS\SYSTEM32\DMAPW.EXE 61,958 2001-08-17
C:\WINDOWS\SYSTEM32\DMRCM.EXE 61,958 2001-08-17
C:\WINDOWS\SYSTEM32\DMYTG.EXE 61,958 2001-08-17
Other suspects
Directory of C:\WINDOWS\system32
{B2B24C94-076A-4057-AE23-1196813C5FD4}.exe
{83976212-CB04-4156-BF32-75C24FD94823}.exe
{75ACB9A7-4203-4311-9350-5CEC498EF7F3}.exe
{C278D711-8157-4190-B416-D36E84FB0F8B}.exe
{B4DD5FE8-C964-43C4-8A14-93241D42DE7E}.exe
{5ED72AF1-43C0-4BB3-B161-1F3795162DF9}.exe
{CB201CE7-0336-4DC8-8B3B-565E23A468C6}.exe
{D6DD7E33-8D97-4DFF-9B54-E95FBBDBAACA}.exe
{F8B1B7DF-294B-49D1-B284-744C6854863E}.exe
{0393CBBA-8C0D-4859-8971-8353497C2301}.exe
{832C3BA8-43EC-4F64-B8DD-F80A8F007D41}.exe
{51F5AD6D-F019-4B98-9D1C-8930BC67F478}.exe
{19688016-F0CE-404C-8B9C-4DD7C009AFBE}.exe
{523B1D8F-8A67-470B-AAB4-CF60FA84CE03}.exe
{B2D5B3C8-581D-440D-B961-1D3C37B5F30D}.exe
{05575863-72BC-4BEF-9343-779077200C09}.exe
{12DFAFDC-39BB-4ED6-BA64-FD2A3D69B101}.exe
{77896B67-5F20-44A7-8329-C4DEF6287093}.exe
{F2EB75B4-616B-4BE0-9287-FCD265B93217}.exe
{6DCF9F4D-B638-4B41-A222-5700D4B120FD}.exe
{B8CAD84D-6A32-404E-8F5A-E878E2764F9B}.exe
{3FE85A60-1AEF-44B0-A784-E0ACD3653211}.exe
{C3772D2F-C360-4106-90CA-ADC014480A3B}.exe
{14B6E551-CF66-4AFC-9942-A4D0BCAC1E9B}.exe
{2C16C2FE-6793-497B-A853-0DF3D8D50655}.exe
{87711478-EAC9-445C-A801-1644E91226CB}.exe
{654572C7-0224-4114-981E-BED416E929D4}.exe
{CE8D0EF6-E96B-4E74-A808-0D7E6DBE52C8}.exe
{1F8DDE35-0501-434A-8FAC-7041F980022D}.exe
{DCB0170F-9400-4856-B7AB-693A790FD5B0}.exe
{F21B7E95-3003-4223-B10D-60436F08CE06}.exe
{7BC8C754-A668-4756-A48F-73B52A2EE497}.exe
{A51E7BA8-2EC4-457F-91F9-4DA75919DAD2}.exe
{E5813F9A-3449-4E58-B80D-65BA9E72E41B}.exe
{33BB4FAA-FF9D-4685-9E09-A243A677C0ED}.exe
{F20A4BF9-47F8-4481-B69F-133F11A8C20F}.exe
{CF2B1DB1-70E9-4E46-9F7A-A298890B31AE}.exe
{A7E5DD26-880F-4055-9324-08CD9300C5DB}.exe
{BB478E8B-90C6-40DF-ADFB-60525AB74A6F}.exe
{086E9728-34E2-4A4F-8059-775DDE286A20}.exe
{435F77D6-3E99-4CF9-9DA6-CAA36873DF86}.exe
{B9859A5C-73AF-4642-8D30-DAA2390EBD9D}.exe
{F8462081-61B7-4C0F-BA2F-EB49811926D8}.exe
{C4D6B657-FC7D-464A-B09D-2B2604C5198C}.exe
{6D2B54C0-5E2E-4972-80C7-0D3B729583ED}.exe
{7CB93E93-8055-41A8-8503-3CA0E8C70A44}.exe
{B2805E81-6943-42C7-89B7-9AF1835FD9E3}.exe
{823F285F-912F-4A45-9856-ABC23EF9997C}.exe
{B126C160-E703-4F01-9AD7-F68A4001FA27}.exe
{74BE7CB3-178D-4E9F-B52B-38472B0322CE}.exe
{6DEF3198-A9E7-488E-BC11-676FC0A51C97}.exe
{5A603AA5-9365-47E5-872C-142210EB611B}.exe
{5DA3403F-5B63-4CDA-9068-B2496953DC43}.exe
{5A1C8DCC-8DB3-4E78-A142-E2F561ACBF8B}.exe
{A5D75E35-E26E-4278-AF50-B4EF0EF804CA}.exe
{9BB11C84-EBF1-48B8-84DE-84FEC2407E7D}.exe
{C9DC15FA-A186-4347-B1AB-B1842148C040}.exe
{70A1C8E0-528D-4282-B7F1-1C48E7637E7A}.exe
{618395CC-C9D2-47FC-B302-CD26BC7FED53}.exe


And HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:28 AM, on 7/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Phil\Desktop\HijackThis.exe
c:\Program Files\Microsoft Money\System\urlmap.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {8E454121-3053-BBE7-A7D8-99C06C2B771B} - ActionScr.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [corrida] NSYSCPLSTR.exe
O4 - HKLM\..\Run: [TForm1] ms-its.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StartCpl] driver64.exe
O4 - HKCU\..\Run: [Serviceprocess] Brong32.exe
O4 - HKCU\..\Run: [abrek] xsetup.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {D118326C-1496-4196-915B-349BFD1111D6} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D842B3A-BD39-4A0E-9E70-8721ED9349AF}: NameServer = 85.255.113.138,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Please give me help on removing this if you can. I tried my best to follow the instructions in the thread I linked earlier, but a lot of the file were different.

I appreciate it!

James

Welcome to the forum James

Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - {8E454121-3053-BBE7-A7D8-99C06C2B771B} - ActionScr.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [corrida] NSYSCPLSTR.exe
O4 - HKLM\..\Run: [TForm1] ms-its.exe
O4 - HKCU\..\Run: [StartCpl] driver64.exe
O4 - HKCU\..\Run: [Serviceprocess] Brong32.exe
O4 - HKCU\..\Run: [abrek] xsetup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D842B3A-BD39-4A0E-9E70-8721ED9349AF}: NameServer = 85.255.113.138,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.115
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note:
If You have connection problems or those 017's ~ 85.255.113.138 85.255.112.115, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Do that for every conntection listed.


Do a full system scan with your antivirus Program then do a scan with ewido.
one at a time.

Afterwards open the fixwareout folder (delete any report.txt files you see)
c:\fixwareout\findt\findt.bat run this file then post the new report,txt that will be in the same folder
Post a fresh hijackthis log please, be sure to mention any current problems.

Due to lack of a response this topic has been archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.