I Have tried everything Now I need The Experts

Hello
I hope someone can help me. I think I have picked up something and its is escalating. I have followed every step in the hijack this section (read first).
I first noticed something wrong when I went to P.C pitstop the quick scan there said it found the following.prowind32.exe agdcb.exe and phqghumea.exe
but could not remove them . So I went to Macaffee they said all they found was W32/Gaobot.AUE and removed it. So I went to Trend it said it found nothing. Then I came here and followed advice removing things from the reg
I found Run agdcb.exe there and removed it also run phqghumea.exe.
But there still seemed to be something wrong Spybot did not seem to run right nor did Adware so I deleted them and reinstalled with all the extra add ons . Then I started to notice I was locked out of files couldn't change settings things I deleted would not delete. So I tried to do a clean reinstall of xp but it told me I could not do it on my c drive which I was tring to reformate at the same time so I went ahead and put it on D drive at the same time I installed the sp2 disk as I had sp 1 before. Then I went back and manual deleted the old xp from c drive but it would not let me deleted a few files which were old windows 98. Everthing seemed to work right untill i reinstalled my modem then it told me it found a networking device and installed drivers for it which never happened before then it would not let me
install my sympatico to it so I had to do that onother way as a result I have two little sreens when hooked up to the internet but it will not let me uninstall the networking one if I do It won't let me install the modem for sympatico. I have just a single computer hooked up. I try to uninstall networking but access is denied I delete files to do with networking they pop right back up. Anti virus programs don't run or update when they do run a dos screen pops up once in a while and disappears. Panda scan on sat found 47 files that were locked and it could not scan code 94 . I have tried thetend syscleaner with the betta 247 but it says 47 files could not be scanned as well. Stinger found nothing but I am unable to run it from safe mode it won't let me. Lspfix tells me to reinstall winsocks 2 but this computer won't let me. It lists 3 lsp but Spybot lists 18 . Lava soft seems to be affected by this as well the new copy I down loaded yesterday will not scan my reg.
Another thing I noticed was my reg I seem to have 100's more enteries there duplicates of nearly everything in the top section when i used reghance i seem an entery at the bottom hkey-dyn-data but when I call up the reg the old way it is not there I also can not click on alot of the entries to see what there settings are. There are two enteries for each user but the entery for user 19 has now dissappeared.
I am finding strange log files and duplicate log files that I am locked out of.
I have run hijack this but it doe not mean that much to me as I have not had the the to study how to use it properly. I am hoping someone here could help me. Also when I run hijack this how should the settings be should it be set for a full scan? I have done everything in your guide to spyware and more I was fully patched with sp 1 .I never opened e-mails I didn't expect even from friends. I was hoping a-squared would help sort of my last hope but it did not. I noticed a new thing at panda about I frame or something like that that seems to be alot like my problem but so do a few others so I hoping someone here can guide me to the right virus or trogan or what ever this is .
But I should speed this up as I am writing this it is seding and receiving.

One other thing that has happened in the past three days is when I run services msc it does not look the same I have no option to stop certain services workstation is not there remote procedure helper has no option to stop can not disable (which I had it set to last week) it is all grayed out processes that I had stopped are turned back on.
One final thing is I am wondering if anyone who has installed the sp2 has noticed a file sp3 in there reg? Thank you for you time.

 

I have just run another ez armor scan and this time it found 41 files that it could not scan. I have been tring to post this for a while but it took the internet connection it uses away . So my sympatico would not work. I had to restart it to fix it and I noticed that some of the processes at start up are now listed in small letters userint.exe which never come on at start up there were 5 task managers running lsasse.exe,winlogon.exe,services.exe, csrss.exe, it started with the service smss.exe then switched to SMSS.EXE.
I recall most of these being capital letters before.
Also the results of the scan the first one it could not scan was ezarmor/etrustEZ/ANTIVIRUS/viruslog could not open. does this mean that it has taken over this program as well? Another thing I noticed as I was updating virus programs today is that it seems to down load everything twice.
other files that it could not open were windows Debug\passwordlog.
System32/wbem files about 7 different ones. Repository/FS/objects and the data one as well. windows\pfirewall.log. Windows\Software Distribution. Windows\websetup\wuident.cab.
It also couldn't open alot of Windows\Pchealth. HelpCTR\Binaries\pchdt-p3.cab
Windows\Drivercache\i386/. Even the Sp2 uninstall on another drive seems to be affected. I have been on the internet for 7 years and never had a virus or anything before so I am really unsure what the information means are they files the virus controls now . I had all files unhidden for the scan including system files. Thank you.

 

download avast have it do a boot time virus check, and/or do a panda online scan, at the panda website.

 

I will redo avast again I can not get Panda to load I really would like to though as the Iframe thing sounds alot like what is happening. I tried TroganHunter last night but it did not find anything.I was reading the guide lines for editing the hijack this line by line I know there are alot of Legacy entries in it but I ran out of time searching for them last night as they are not in the same keys as mentioned and some of those the enum keys won't open to read.Also is it safe to use the Adware reg program to edit the registry?
I found a hidden user on this I have one user setup it had a password and it still managed to to alter everything . In the Window\common\system one of the files has written in it If you are reading this you probably have a trojan and you will not be able to remove it.
Thank you for you help I am going to try and print off the set by step guide for understanding what to delete in the hijack this log and see if I can find anything. If that doesn't work should I do a new clean install. As I can not get any virus program or spyware program to work properly they all seem to get taken over and altered . One other thing is a do know that is is altering my service configurations as I have been going over the logs from the hijack this and had it set to give information about this and each log has something changed in it which I did not change.

 

I have a few more questions hopefully someone can answer for me the first is on a single computer running xp sp2 should the following process be running under every main process in my process list example with lsass.exe even with virus and spybot process the first is comctl32.dll\D:\Windows\WinSxS\x86_Microsoft.Windows.common-Controls_6595b6141Aecf1df_6.0.2600.2180_x-www_aB4f1ff91 I also have another comctl32.dll102000 listed in alot of processes but it is the first that bothers me another process that runs with everything is AcGenral.DLLD:WINDOWS\AppPatch|AcGenral.DLL\CA000 The reason I am asking is that they are in some of the folders that no virus scan and spyware program can get into. Now I have another question I have tried searching for these ports uses I think135 is my sympatico, but the others I am unsure of are ports-445 ,1027 ,1325 ,1348 ,1888. none list an address except the last and it lists 127.0.0.1 these are the ports the thing is using this one has both a UDP and tcp connection 445 The others are all UDP.
Thankyou

 

I ran Panda again it managed to scan about 34,000 files and said it found nothing . I can not get Avast to work . after I did Panda scan which took 5 hours on DSL . I got a blue screen and when it restarted it told me I had to reactivated windows within 3 days as I have made more than 3 big hardware changes since I activated this one last week . I thought it strange as I have not added any hardware. Then I ran spybot again it showed 5 DSO exploits the same 5 it removed before. The strange thing about this was that although they listed a certain reg key on the spybot screen example HKey user 20 or 19 which is now back all 5 when you clicked to show location were infact the same key HKey users S-1-5-20_classes in software\microsoft\current version\run but the key showed no entries on the right side it was blank should I delete this key. Then I noticed some entries that seem odd in the HKEY_USERS Default under connections P3P History it lists about 30 things like gator.com .lop.com, 217.73.66.16 , bargain buddy etc. Also my internet account manager key in the active directory has 5 accounts listed on the right side but two only are mine the others are Bigfoot whowhere and verisign . I also found enteries for netscape which I don even have installed it says the path is D:\Progra~1\Windows~3\wmplayer.exe I can not find it in a search of the computer. Should I delete any reg key that I find in the software\microsoft\currentversion\run and run once even though they show blank entries on the right. Thank you.

 

Thank you for your reply I have tried everything on your list over and over and quite a few other programs as well it just seems to be able to gain access even to programs I password it also keeps resetting the tweaks I do to programs like spybot and lavasoft. It keeps removing the check from trojan hunters automatic clean as well. I think I am about ready to do a reinstall This is so time comsuming every time I think I have the answer I find something else it might be.

 

Before I do post a log . I would like to ask a few questions . I have gone over the items in the report HJT does using the guide lines posted here I can not see anything wrong. But when I click to configure and go though all those scans,I think I see problems but as you are the experts I will ask first before I post. When you click to do the startup list as full and the other complete option should 98% of the things listed there say no Reg value found or for example Run no subkeys found ? Even folder not found. How should I put the settings for the log I will post do I Post the autostartup log if so how should it be set. I also noticed in the system setting at the bottom of this that more of my settings have been changed but I have not changed them. also programs i have deleted have popped back up and the 5 DSO exploits spybot removed are back spybot can not seem to remove them . Adware says it finds nothing but it is only scanning some files.Thank you for your help. I will wait for the proper settings from someone there so I do not post my log wrong Also I can not run it from safe mode it won't let me and I have not even been able to get it to start in safe mode since yesterday. The other thing is that I just reinstalled this last week reformatted the drive installed sp2 at the same time I did not have the internet or modem installed until after all the installation was complete.

 

Sorry it has taken so long to get back but this thing is a nightmare. I tried to post the log but it would not let me even on to the internet or into my programs so I tried to do a new install I thought it was reformatted as I did that step but when The new xp was installing it said installation denied by owner and would not install at all I ended up phoning Microsoft a waste of time that was. They insisted it was my cd drive or hard drive that had problems.In the end he told me to try take the hard drive to get professionally reformatted which I did or thought so and so did the man that did it as it was removed from my computer to do it.I came home and did the reinstalling of xp added the sp2 then the internet I still was getting 2 networking connections so I new it had hidden its self in here somewhere. I made sure the any thing to do with workstation and things like that were stopped and disabled. I started to down load all the things to see if I could find it but buy that night I was losing control again nothing could find it. So I deleted everything I could manually first made sure other drives were reformatted I had trouble with the D drive it showed it was empty but when you hit properties there was afile there it would not format the proper way so I had to pick quick format. Then I started to do a new install the program protested a few times but I got it reinstalled I left sp2 off till I scanned it
and installed my dsl modem as that seemed to start the problem It seemed fine then I noticed that the old user name still had an account that during reformatting it had created itself a hidden drive D removable storage my old D drive was now E and E was now F. I tried shutting things of it won't let me access the internet .I found The hidden D drive yesterday when I hit show target it took me to my explorer.exe file inside it were dialer programs I can not get rid plus other things.It has taken control of my my services again it has changed the paths to them I can not get them to change back.
Here are some could someone tell me what they really should say.
Logical disk manager path C:\WINDOWS\system32\svchost.exe-k netservcs

mysecurity center points to the same path as do most of my other important processes my Logical Disk Mamager Administrative services point to
C:\Windows\System32\dmadmin.exe/com .
It takes over aware I got it to start to work it found 17 things to start but after about 30 seconds it flashed busy then scan stopped. I have tried all the scans it will let me I got a new copy of a squared this morning and tried that but it shows nothing but it only scanned 1200 files not them all. Does any one know a program that is really good at finding dialers and hackers I will try to post a log later .

 

Here is the log my process list I see shows 10 more processes running than this.

 

I have had to do another reinstall with a reformat but it is still here. I have a question I hope someone can answer, when you use win patrol in the show cookies section I have about 160 file names listed not internet cookies when you click to see location they show as being in the system 32 files They all have either MZ followed by alittle box or regf followed by alittle box i am not sure wether I should click to delete them as alot of them are system files . The next thing I have a question about is how can I get xpsp2 to show the really super hidden files as when I was useing File recovery program I discovered that every drive on my computer has a exact duplicate section called deleted and it contains the same contents as my drive and I have hidden recycling bins so things I delete are still there. Thankyou.

 

Thank you I have done a reinstall since the above log as soon as it was done I ran hijack this again there were four things I fixed but I still have the same problems.Here is my new log but it still does not show all my processes that are running I have 24 showing in task manager. The win patrol findings I find strange as well. Does anyone else show this as cookies, The long list of files.

 

Hello again I wonder if I could please have some help with this , i am now onto reformat and reinstall number 8 . I discovered that this thing reinstalls itself at the start of the windows xp install ,the part where it asks you if you have any drivers to install, this time it reformatted my C drive to plain old Fat even when I picked fat32. I have tried everything I can find to try remove this nothing is working , it won't even let me come to this site sometimes or stops me trying to down load fixes from here I have been trying to download Fixn'Find for a week but can't as it was helping get rid of it but suddenly it stopped working so I had to get a new copy. I got the new l2fix program today and also one called security task manager to see if I could find a hidden dll but I have a very confusing report it seems the hijack this program is running my computer , I am finding phone logs even though my internet company assures me it is not possible for a hijacker(dialer) to use my dsl modem for that purpose. I Have posted a new hijack this log .I created it as soon as I reset my internet settings today. But could someone please explain the Security Task manager report should I uninstall hijack this and then run it?Thank you.