Please help with hijackthis log. tried everything.

[exp1orer]

I have rebooted to safe mode and run the following programs in this order:
cc cleaner
spybot s&d
spyware doctor
a squared
ewido security (free trojan scanner)
Norton Anti-virus 2004 pro

all have had thier most recent updates.

then I rebooted to normal mode
ran hijackthis and put the log through 2 hijackthis automated log analyzers.
removed a few things.

now everything is back. no matter what I cant get rid of this thing. help!

attached is my latest log.

 

[RealBlackStuff]

You should uninstall PCtools SpywareDoctor/Spyware Guard, its a mediocre program at best!

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
comfaxa.exe
csccatex.exe
CxtPls.exe
casclient.exe
hukjja.exe
ausanc.exe
umddra.exe
camtra.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\Cas\Client\casclient.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\comfaxa.exe
C:\WINDOWS\system32\csccatex.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\Cas\Client\casclient.exe

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hukjja.exe reg_run
O4 - HKLM\..\Run: [suvlen] c:\windows\system32\ausanc.exe r
O4 - HKLM\..\Run: [437S35V] csccatex.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKCU\..\Run: [umddra] C:\WINDOWS\system32\umddra.exe
O4 - HKCU\..\Run: [camtra] C:\WINDOWS\system32\camtra.exe
O4 - HKCU\..\Run: [L0o2RRZse] comfaxa.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

Fix ALL O16 - DPF: entries

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\cgadmin.dll
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

 

[exp1orer]

one file won't delete

Thanks for taking time to help me. I did what you asked and everything went according to plan with the exception of the cgadmin.dll file that would not delete. I was in safe mode with all programs stoped that it would allow me too and it still would not let me delete it. I also tried "del c:\windows\system32\cgadmin.dll" from the command prompt and it still would not let me delete. when i rebooted to normal mode i tried again. nothing.

is this a danger? also, what is the best way to keep this from happening? last question, if you download a file and you want to check it before opening it, what is the best way/program to use or is it impossible? I scan some files this way using norton but it seems useless.

in your debt.
exp1orer

 

[exp1orer]

There all back. i had this computer isolated. must still be in therer somewhere.

i am sorry to say they are all back. I will follow your instructions one more time. (although I'm certian i did it right the first time). could it be that one .dll file that would not delete?

dont give up on me now.

exp1orer

 

[exp1orer]

ok got it now. it was the .dll linked to the winlogon.exe

first I would like to say thanks to realblackstuff for the help. I could not have fixed this without you. the rest of this post is for anyone else that does a search seeking help with a .dll file that won't delete. Mine was tied to an entry that hijackthis picked up but could not delete. the line was a code 20 winlogon.exe .

I used a tool called KillBox by Explicit Software. this allowed me to kill the association to winlogon.exe and delete the file. then when i ran hijack this i was able to delete the entry and it didn't come back! WOO HOO!!!!

Just another quick note. the .dll i was trying to delete changed names on me. twice. so if you have a code 20 tied to a winlogon.exe and you cant find anything on the net about that file theres a good chance its randomly generated. If any of this is wrong or counterproductive then it is my hope that realblackstuff will delete it.

thanks
exp1orer
let me know if this helps anybody.
exp1orer@yahoo.com

 

[RealBlackStuff]

exp1orer got it right, and thank you for the flowers!
I would also have advised him to get DrDelete or Killbox.
Either program will remove an unwilling program-file, be it immediately or at the next boot.

PS: I don't always have time to check the various threads more than (or even) once a day, after all this is 'charity'-work.

 

[Vigilante]

If you don't have any real time protection against spyware, check out these progs:

1. The built-in tool in Spybot called Tea Timer. It will pop up and tell you when anything is trying to attach to your system.

2. Similar to TeaTimer is Microsoft's own Antispyware Beta tool. But only if you're on XP. Use one or the other.

3. Check out the tools on http://www.javacoolsoftware.com/
SpywareBlaster will "immunize" your system from thousands of known Internet junk stuff. Similar to Spybot's Immunize function but more complete.

4. Keep tabs on your startups with Autoruns from Sysinternals. http://www.sysinternals.com/Utilities/Autoruns.html
It lists far more startup locations then Hijackthis does.

5. Use Firefox as your browser instead of Internet Explorer. www.mozilla.org

6. For a second opinion on virus infection, run a virus scan from the web at "housecall.trendmicro.com"

As a side-note, you want to run these scans and checks from EACH user account in XP, and in Safe Mode. Each user can have it's own spyware. Use Safe Mode with Networking if you need to go online.

cheers