:-[ Here we go again. Thanks to XoftSpy I located another worm in the registry. Please advise what the next step is to this pain in the ass. Thanks eddy for the tools too. Hijack log and XoftSpy log attached. Thanks Lalabugu

Logfile of HijackThis v1.98.0
Scan saved at 2:03:52 AM, on 10/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WLAN\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Documents and Settings\Kelley\Desktop\viralinfections\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM..\Run: [BearShare] “C:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [spc_w] “C:\Program Files\JUSearch\hcm.exe” -w
O4 - Startup: Configuration & Monitor Utility.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://my.juno.com
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: http://*.ocsd.org
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095820224948
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll

Result from my HJT log analyzer:

CHECKING HIJACKTHIS AND INTERNET EXPLORER :

You are using a old version of Hijackthis, please update.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = http://my.juno.com/s/search?r=minisearch
r1 - hklm\software\microsoft\internet explorer\main,search page = http://my.juno.com/s/search?r=minisearch
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://my.juno.com/s/search?r=minisearch
r1 - hkcu\software\microsoft\internet explorer\searchurl,(default) = http://my.juno.com/s/search?r=minisearch
r3 - urlsearchhook: urlsearchhook class - {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - (no file)
r3 - urlsearchhook: incredifindbho class - {5d60ff48-95be-4956-b4c6-6bb168a70310} - (no file)
o2 - bho: x1iehook class - {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\juno\qsacc\x1iebho.dll
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - d:\spybot~1\sdhelper.dll (file missing)
o2 - bho: msntoolbandbho - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o3 - toolbar: msn - {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o4 - hklm..\run: [bearshare] “c:\program files\bearshare\bearshare.exe” /pause
o4 - hkcu..\run: [spc_w] “c:\program files\jusearch\hcm.exe” -w
o4 - startup: configuration & monitor utility.lnk = ?
o8 - extra context menu item: display all images with full quality - res://c:\program files\juno\qsacc\appres.dll/228
o8 - extra context menu item: display image with full quality - res://c:\program files\juno\qsacc\appres.dll/227
o8 - extra context menu item: web rebates - file://c:\program files\web_rebates\sy1150\tp1150\scri1150a.htm
o15 - trusted zone: http://my.juno.com
o15 - trusted zone: http://www.juno.com
o15 - trusted zone: http://*.ocsd.org
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1095820224948
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {bac01377-73dd-4796-854d-2a8997e3d68a} (yahoo! photos easy upload tool class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [moodlogic updater] c:\program files\moodlogic\service\updater.exe
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background

Analyse your log also online HERE

If you resolve these issues from Eddy’s analysis, this should help avoid the ‘here we go again’ and ‘this is a pain in the ass’ feelings.

CHECKING HIJACKTHIS AND INTERNET EXPLORER : -------------------------------------------------------------------------------- You are using a old version of Hijackthis, please update. Old version of Internet Explorer detected, please update. Your Operating System is not up-to-date. (Latest service pack not installed) No software firewall detected. If you are not using a hardware firewall, it is highly recommended to install one.

;D Ok, so it looks good. I diables restore and followed your instructions. Re-wrote the cat roots and followed all the registry entries on the hijack list. ran a couple of the other links u sent, rebooted avast bootscan, ran hijack again and voahla!! I think its gone. Not detectable in xoftSpy, shredder, aspro, SpySubtract, error, avast4, and adaware. Hijack this log follows. And check the registry and memory dont see it. Want to download up dates but want to be sure that the issue looks fixed before I add more app. ext to my system. Thanks Eddy. “And the air is still here in cali”, lalabugu

Logfile of HijackThis v1.98.0
Scan saved at 6:31:56 AM, on 10/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\dllhost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kelley\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Startup: Configuration & Monitor Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll

The log is clean now, but you still need to visit Windows Update to get/install ALL security patches/updates. And while there also visit the MS-Office update site (if you have ms-office installed ofcourse) to get the latest updates.

???I have been trying to update system all morning long. I am still getting a failer to install message onsite. 12 times. Unable to figure out wjat is wrong. All my previous updates are lost/earased from my system. Anysuggestions on what I should do?

You can download SP2 from HERE and install it locally. Make sure you have the correct language!

:-*You are such a life-saver!! Thanks again eddy for rescueing this newbie!!! I am forever in debt. lol Its currently downloading finally!! Thanks ya-all!!!
Sitting pretty, lalabugu

Good luck and you know where to find us if you need us