I'm pretty confused right now. I'm working on a family computer that I was told was having problems and I can't seem to figure this one out. Perhaps someone could lend assistance.

This computer lacks AV Software and the user also has children running MSN Messenger (bad sign to begin with). A strange email came through and the user opened it.

Nothing bad has happened, however, after running checks on it myself I came to realize that first of all, I couldn't access any major AV webpages (Nortan, McAfee, etc), to use their online virus scanners. Secondly, the computer simply won't allow me to use the "run" command in the start menu to access "msconfig" or "regedit."

I ended up downloading Ad-Aware to run checks along with a third party AV program called Avast? I personally hadn't heard of it, but after running, it had detected several files infected with W32:Beagle.BH and the AdAware caught about 40 or so infected files including some tracking cookies and Cydoor.

I accessed the Host File located in C:\Windows\System32\drivers\blah and cleared out everything after my local host settings. This enabled me to access NAV's webpage and I ran their virus detection, but it only found 3 adware infections and no major viral infections.

To play it safe, I turned off System Restore and I downloaded the W32:Beagle removal tool and ran it anyway, but no detections were found. Strange I thought... So, I assumed that perhaps the problems were resolved. I was wrong.

Today, I booted the computer to find myself still blocked from using the "run" command. Also, this "Avast" AV program is now detecting tons of random "suspicious emails" trying to leave the system. When the email client is open, these warnings come up at a rate of almost 1 per minute. I ran NAV again and still no detections were found. I ran AdAware and no more infected files were found. I'm quite confused and boggled by this. I'm almost to the point of just transfering all the required data off this hard drive and vaping it for the sake of the owners. I can't seem to come up with any other solutions and just wanted to know what anyone from this forum thought. Thanks for any input.

BluDev25, See if the info at the link below is of any help (possibly a trojan file named NETSTATT.EXE?)

Why does Task Manager, MSCONFIG, or REGEDIT disappear while opening?

Tufenuf

www.housecall.antivirus.com

turn of system restore temporarly,
try starting in safe mode(f8),
empty temp folder,
check msconfig for virus-related startup files
run virus scan again,
also run adaware scan,
if run command not working> then goto:
windows and >system32 folder directly,
or system information> tools

Personally, when I get one that really stumps me:

Remove their hard drive, slave it and put it in one that you KNOW has a solid AV package.

Do a scan from that system and see what you find.

Considering you will not be booting to their HD, anything on it will lay dormant, but detectable.

Done it many, many times, quite safe.

_________________________
The internet is no longer a toy, it's a COMBAT ZONE!

Hello Tufenuf and EC,

Thanks for your replies. I will comment on the suggestions you made momentarily, but I've got news, and I'm not sure if I should consider it bad news or just another step in solving the issue.

I noticed today that after the system is rebooted and the internet connects that an error message appears claiming "Generic Host Process for Win32 Services has encountered a ploblem and needs to close." After I click ok, a small icon appears in the system tray to the bottom right hand side. It almost appears to be a small blue bell or siren placed in front of scattered envelopes. When I run the mouse cursor over the emblem, it flashes up randome IP and web addresses in a continuous mannor as if its randomly connecting to places. While this occurs, this AVAST AV software I am using keeps informing me that suspicious emails are attempting to leave this computer. Of course I cancel the actions, but this occurs in handfuls and becomes rather annoying. Even after I close the email client, somehow it still attempts to send stuff.

Now, in regards to EC, while this icon appeared in my system tray, I ran the virus detection software from Trend Micro at the housecall address you gave me. Those random quirks about suspicious email trying to leave the system even popped up DURING the virus scan, however, no viruses were located.

Immediately following this, I ran my Ad-Aware program and the only thing that came up was a giant list of Tracking Cookies, Type: IE Cache Entry, Catagory: Data Miner. I'm not entirely positive on what this means, but I can't help but to wonder if these are linked to this icon that runs after the Win32 error occurs.

In regards to Tufenuf, I went to the website you recommended and used a program there to rename my "msconfig" and "regedit" files. After doing so, they did operate, however, no NETSTATT.EXE files were seen running. I also got myself a copy of the HiJackThis program and ran it while the icon was in my system tray. This is a copy of it:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:32 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Kelly Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [keydrv.exe] C:\WINDOWS\system32\winsystems.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I'm still working on this issue. Part of me has given up the idea of just vaping the hard drive. I'm really intent of finding the solution of the problem. Leaving business unfinished just isn't how I usually operate, so I most likely won't be sleeping much until I can figure this one out. Any more help is greatly appreciated!

This line in your HT log is the Bagel Worm:

O4 - HKCU\..\Run: [keydrv.exe] C:\WINDOWS\system32\winsystems.exe

First reboot the computer to Safe Mode. Go to start>control panel>folder optioins>view>check the circle beside "show hidden files and folders">apply>ok.

Go to C:\WINDOWS\system32\winsystems.exe and delete the file.

Purge System Restore

Rerun the trindmicro scan.

Re-enable system restore and re-hide the system files.

I have developed a 10 step free program to a healther computer.

Report Offensive Follow Up For Removal