Total hijack - desktop.exe, TROJ NARRATOR .A, cws, elitetoolbar, etc

Hello,

My main computer has been infected with desktop.exe, elite toolbar, about:blank, CWS, etc.

I've run spybot, which removed elite toolbar and some CWS.
I've run AdAware, which removes most everything except these:
*delprot registry entries
*CWS feads registry entries
*system32\wrkogy.exe
Running trend micro causes a IE crash followed by FULL reinfection. Also creates an SADLR001 connection in network places. I've managed one full panda scan, followed by reinfection on reconnect. Programs I've used:

Adaware
Spybot
TrojanHunter (relatively useless)
Panda online scan (one full scan followed by reinfection on reboot)
Trend micro online scan (not full scan, caused IE crash - shows non cleanable TROJ NARRATOR .A)
PestPatrol (relatively successful althugh does not remove registry entries)
Cleanup!
Killbox (crashed on first attempt of removing boln.dll, further attempts successful)
HiJackThis! (cannot remove no file/name BHO entries)
CWShredder (not very successful at removing registry entries)

I've removed these infections about 4 times in the last 3 days, finally was able to remove the feads and delprot registries through permissions.

wrkogy.exe, fxssv.exe, vjkricxo.exe run on boot, crashing explorer.exe shell. Adaware does not find these.

I also get this message on boot: "C:\WINDOWS\explorer.exe is attempting to change or view this computer's Internet Connection Protection settings. To give C:\WINDOWS\explorer.exe permission to edit these settings for as long as the program is open, click YES."

Not sure if CCEVTMGR.EXE (in all caps) is a valid application, though I've looked it up as a symantec executable.

I also get disconnected from DSL and then prompted to connect.

I hope this helps give you an idea of the scale of the infection. Any help would be greatly appreciated.

 

UPDATE:

After reboot and reconnecting dsl cable I was infected with desktop.exe, zserv, AbetterInternet, BTGrab, ImLserverIEPlugin, Fammext.exe, and TrojanSpyWin32Tofger.bb. I'm going to run PestPatrol to remove most of these.

I downloaded Sygate Firewall and immediately blocked NDIS usermode from accessing the internet. Also blocked explorer.exe from accessing the internet. Ntoskrnl.exe and svchost have the listen attribute next to them, both from the same IP address.

 

Welcome to MG

Also, in order to help you better we need to know what your OS (operating system) is.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem: make sure that you post back letting us know what you could and couldn't complete in the Read Me First guide and what problems still exist and in the meantime while we are reviewing what problems still exist please read the following guide and then wait for us to ask you to post your HJT log as an attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Again after you post back to let us know if you are still having the problems please be as specific as possible as to what you couldn't complete and as to what problems still exist as the more information we have the better we will be able to help you.

Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG

sw