Hello powers that be:

I have ENDLESSLEY to get rund of this thing. I have a Red Soyware background and I have read many forums and cant seem to shake it. I was able to get rid of the coolweb virus with the help of housecall. I cannot load a newer version of NortonAV because for some reason it craps out. I had norton2004 but definitions were october 2004....oops I know, my bad. Also, you have a file which I tried, Regfix.vbs. Well, when I run it, says VBScript cannot be found. I then also ran hsfix per instuctions here and it got rid of some file. But the backgorund stayed. I can't use right click. Here is my hijackthis log. Please help. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:32:45 AM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ACD Systems\ACDSee\6.0\ACDSee6.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

Can you run that script again please and give me the exact text of the error message you are getting.

Okay the exact text error I get when I run regfix.vbs is:

Can't find script engine "VBScript" for script:"C:\Desktop\Regfix.vbs".

The repeat Log is:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:55 AM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ACD Systems\ACDSee\6.0\ACDSee6.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

Thanks for your speedy reply.

Forgot to mention that this error for the script comes up in a window titled: Windows Script Host. I think I repeated the hijackthis log again for no reason. Sorry. Its late...have to get to bed.

That error happens when your scripting needs a reinstall.

Go here and download scripting 5.6 for XP>
http://www.microsoft.com/downloads/details...&displaylang=en

Install it.

Then run the script again. Let me know how it goes. I wrote the script and so am interested in any problems you might have with it.

After it has finished, log off and back onto windows for all changes to take effect.


And if there are other users on the system, they will need fixing too.



Also, in Add Remove Programs, uninstall Viewpoint Manager.

Thanks will do, Unfortunately, at work right now and notebook is at home.

Question. Run the script in Safe mode or Regular? Cuz in safe mode I have admin login as well, which does not appear in Regular mode. After I run it, do I simply log off and log into other account and run again?

As a re-cap, this is what I have essentially doe since I got that spyware background: my computer kept turning off with a blue screen during virus scans and adaware scans. I was able to find out that that is was vdmt16.sys (haxdoor?) which I was able to remove. Using killbox, I removed it (or at least the vdmt16 file and several of those 3 letter files in the windows system folders). I can't recall if I went into the registry and pruned out stuff that Symantec.com told me to get rid of..but I did several step in the write up of haxdoor.D. Anyhow, now all I got was a blue screen...no log in. So re-installed xp ontop of itself hoping it was a corrupt file. During the install process There was an INF file, vcad, or something like that..which would not install with my slipstreamed SP2 (made slipstream on a clean computer). However, when I inserted my Original SP1 CD and retried to copy the file, it worked...I thought that was odd. Well, now I am able to boot into XP. Get on the internet and do housecall scan online. The Pandasoftware scan would not load after I clicked on SCAN computer. Anyway, Housecall found thee coolweb virus and one other virus hiding in the cache files of java folder. It was able to remove the coolweb virus. But I had to manually delete the cache of java as those files were in use. Then surfed the web trying various schemes to get rid of the background with CWshredder, CLEANUP, and Killbox. Interestingly, I tried to prune out The NORTON missing file and the bluetooth missing file, along with the R_server file that you see in my log still...with killbox, and everytime they come back...why?

So, I hope that helps somehow. I will Download VB script from MS and give you an update. Thanks

If your account has administrative priviledges run it in regular mode.

Yes. Log onto the various other accounts and run again.

I really wish you hadn't tried to do all this by yourself. I have a feeling you are in need of some major help. I'll bet you have more than a few missing files. The other service says file missing. And you have this scripting problem too.

Take a look at all those missing files for your Symantec in services. It isn't running! You need to uninstall and properly reinstall that. It's urgent. Do not surf unprotected. Firewall and AV are minimum requirements.





Haxdoor is very nasty.
Let's run something and see if haxdoor has been removed and your registry repaired.

Download HSFix.zip

http://www.atribune.org/downloads/HSFix.zip

Create a new folder on your desktop. Name it HSFix
Extract the contents of HSFix.zip to the HSFix folder.



Restart into Safe mode.
Open the Hsfix Folder. Double click on hsfix.bat to run it. This may take a bit of time.


Go to Start >Run
Type %temp%
Press enter
When your temp folder opens, select all and delete all

Restart into regular windows mode.


Run hijackthis again. Post the log

Find this file.
C:\hslog.txt

Copy and paste the contents into your next reply.


After we see about all that, I would reapply SP2 and then go to Windows Update and get all the latest security patches.

Make sure everything is in working order.

I had a sinking feeling you were going to say that. I miss DOS!

To clarify, do you want me to:

Option A:
1. Get VBscript from MS and install
2. Run Regfix.vbs
3. Run HSFIX.bat
3. clear temp
4. Paste Hijack log

Or Option B:
1. run HSFIX.bat
2. Clear Temp
3. Paste Hijack log

Note: I have already downloaded HSFIX and run it prior to my original post. It did FIND a file..I cannot remember what and it deleted that file. Afterwards, I ran HSFIX on the other acocu*ts in Safe mode (including admin account) and no files were seen. When I did not know what else to do, I placed my original post.

I will get home and do what you advise.

Okay, went home and got computer, More Bad news. Work permissions will not allow me to download VBScript.

I tried to uninstall NortonAV....Gave me some error said it will remove uninstall from ADD/Remove. Tried to Reinstall NAV will not let me, gives me some error. Of course, it will not allow me to install in Safe mode. How Dumb is that...maybe it wasn;t too dumb when they thought of it. But sometimes you need safe mode to pull you through.

Ran HSFIX.BAT on all three accounts in Safe mode, No findings, Log findings are such:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Ran Hijackthis, Log is:

Logfile of HijackThis v1.99.1
Scan saved at 4:59:42 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

You say work permissions will not allow?

Is this a work computer?

If so, go to your Sys Admin and let him know what is going on.
They need to know. I can't help if the system is cooked and you nave no way of doing what needs to be done.

Let me know what the situation is at this point.

Sorry, I think I confused the issue. The system that is cooked is my personal notebook. My work computer will not allow me to download which is normal with the place I work. Okay, So anyway, here is what transpired last night:

AT HOME, I was able to download VBScript and install it. I ran your awesome script file....Voila! it fixed my problems...at least it seemed to superficially. No more background, I could do search again, I was able to right click. I was NOT able to install Norton. Per your instructions I also ran HSFIX, again, no files found. I then proceeded to install SP2 again. Well, again, I used my Slipstreamed CD. Again, I had problems with installing Cyclad-z.inf and cyclom-y.inf, Requiring me to insert my SP1 CD to copy these two files. Incidentally, I looked up on the net, apparently there is a problem with these two files for some reason with slipstreamed SP2 versions. Well, after windows finishes copying the files, it asks for a reboot, which it does. However now it does not load into the windows installation screen....all I have is a black screen with a mouse. I tried to reinstall windows again and same thing. I can hit F8 and select from the menu. I tried booting into Safemode..no go. Should I try to boot with last known good config?

I need to extract files from the HD and did not do that yet because I was concerned they may be infected. However, now I have no choice. I am going to take the HD out and put it into my desktop and transfer all my essential files.

Please tell me I am not yet out of options. Got any ideas? Should I try to reinstall with SP1 instead and see if that works? Also, If I were to TRy to repair the copy and then a message comes up saying that windows has attempted to repair a previous installation would you like to install a fresh copy, it will delete my old copy and all my files, right? Or will it somehow save my files which are in MYDocuments folder?

Please help if you can. I don't want to have to back up all my crap onto my desktop if I have to... Thanks

I forgot to mention, I did get a Hijackthis Log prior to Reapplying SP2 and the problems listed above....Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:09 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

I haven't worked the XP operating system Forums too much. I used to do the 98 forums. So I don't want to tell you I can help when I am not familiar with this material.

You can try last known good, but I am not sure that will help. It loads the previous Control Set but that is very early in the load. So if this is a bigger problem last known good won't help. With an overinstall, I am not sure that is available, but you can try it. Let me know if it works.

You had a problem last time you used the Slip Streamed CD too. You were missing more than those files after that. A fresh start might be best, removing SP2.

Here's a repair XP page.

http://www.webtree.ca/windowsxp/repair_xp.htm

However, I really think you should get some better advice on this whole matter before you go in and try anything.

Being that this is not a Spyware Issue, this is not the place to address your problem.

Try the operating system Forum here.

Or there is another Board on the internet named TweakXP and they specialize in XP. Let me know how you do.

Thanks for the follow up. I have already been to the website you recommended and half a dozen othrs. Apparently this issue with an upgrade from sp1 to sp2 and then a RE-install with a slipstream or SP2 causes this error. Go figure. MicroCrap has posted instructions how how to possibily reverse it back. I will try it and then let you know how things are.

I'll give you a follow up once I get through this next hurdle. Thanks for your excellent help!!

Okay, well, I am back in business or so it seems for a while. I re-applied xp SP1 and it installed and allowed me back into XP. So, I tried to install NAV2004...no go again. I tried to install NAV2005 (TRial) and it seemed to install, bu tI can;t seem to find it running. So, for completeness sake, I ran HSFIX in regular mode and here is what I got:


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

So it seems that Haxdoor is alive and kicking still. HOW DO I GET RID OF IT? I will re-run HSFIX in Safemode as before and run it in all accounts. ARGH

I also ran Hijack this, this is my log RIGHT AFTER running hsfix:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:31 PM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
E:\Spyware stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I will re-update with SP2 from Microsoft. Can you tell me how to get my 'puter back again? Thanks

You do have your Computer back.

That's great news! I'm glad you are back and running clean. Yes. You are clean so far as I can tell. My real concern is the state of your winodws Updates. Where your security is at this point. With the removal of SP2 I can't tell. And so you need to have a visit to Windows Update. But with no SP2 they'll insist you download that. So I would apply it and then go to Windows Update.

This is still missing the file.
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)


Double check on that situation.


These Symantec processes are running. AV and the Firewall it appears.

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
---------

What's missing there?

The toolbar and BHO? Those may be extra and not available in a trial version or maybe you have to turn those features on. I don't run Symantec and am guessing. But again, if you paid for a license you have a right to the use of the full program.

Okay here's the weird thing, I went to windowsupdate.microsoft.com for SP2 upgrade and it told me I already have SP2 installed. Now, I re-ran Hijackthis and it said I have SP1. What is the website talking about?

Also, I takes A LONG TIME to load up windows. I am running am AMD64 3200+ and it ROCKS...this thing almost takes as much time as my AMD350...seriously.

As for the Nortons...yeah there is no Toolbar/systray icon. Maybe there no systray icon for trialware..but as I recall there was one before with the 2004 version before I bought it.

I am going to download the 272meg SP2 and install it manually to ensure I have it. I think Microsoft website doesn't know what its looking at and Hijack has it right.

I still have a bad feeling that something is screwy with the notebook. The net is slow as well. and on my wife's Celeron 300 (I know CPU make no diff) it is as fast as ever. Anything I should look for? Is it worth it by follow up with the write-up that symantec.com has for removal of haxdoor.d ? Or does your script do all that?

Windows Update is probably reading from a different source it uses to check what has been previously downloaded.

You did a lot of moving and shaking. A slow startup could be due to several things.

One is you may have a driver problem for one or more of your devices. You did just remove SP2. Go into Device Manager and look to see if there are any yellow or red marks on top of device icons. That's an indication there is a problem with that device.

Another could be that you have something else trying to load, one of your startups and it is having a problem. Maybe needing a reinstall. I wonder about your AV too. That can really slow your load. But not so much as you describe. And if you tink there is a problem and something is missing, then you should get that fixed.


Here's something to use. BelArc Advisor.

www.belarc.com/free_download.html

It's a free download. Run it and it will produce a html document full of useful informaiotn about your system. It even checks your Updates and hotfixes as listed in the registryand then tells you what needs to be reinstalled.

My script dealt with only the desktop problems. You ran the registry version. It removed no files.

what do I need to do in order to ensure all the files that haxdoor.d has are removed?

Thanks for the tips

You have none of the startups. Things work. Be sure your system restore is alive.

You scanned. You scanned again. You can go online if you like and scan more:

Here are some other places (Anything found should be orphaned and not running, I think. )


http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp