Hello and greetings,

First of all, let me thank you for all you for all the help you provide. I was wondering if you could help with the following porblem with my computer.

Here is the problem:

My machine seems to leak memory. Most of the times it appears that one of the running programs
(either a service or an windows exe) seems to be leaking memory. Eventually, the system comes to a crawl and I have to reboot again, and the story
repeats.

I have run the follwoing tools a number of times.

CWShredder.exe,
Spybot search and Destroyer,
AD Aware personal,
AVG full scan
Microsoft anti spyware beta.

AVG full scan did find a exe called ShohidBrink2_mfc.exe (from winnt folder) and deleted it.
It seems to come back again and again. AVG told me that it was related to Trojan.ExeBundle.
I myself have deleted it a bunch of times but it keeps coming back.


Another AVG scan last night indicated the presence of Backboor.flood, Hidewindow,Backdoor.Shiznat.b. The infected objects were like

c:\winnt\system32\STDE9.exe:\Explorer.exe
c:\winnt\system32\STDE9.exe:\iiscache.dll

etc etc and AVG could not clean them becuase there were inside the archive

I am attaching the HijackTHis log below. I hope you will be able to help me out.

I really appreciate your time and effort.

Here is the HJT log


Logfile of HijackThis v1.99.1
Scan saved at 8:00:50 PM, on 2/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.sho
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\srvany.exe
C:\winnt\system32\Shared\dllhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MFCR.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinPortrait\wpctrl.sho
C:\PROGRA~1\Grisoft\AVG7\avgcc.sho
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.sho
C:\Program Files\MSN Messenger\msnmsgr.sho
C:\Program Files\WinPortrait\floater.sho
C:\Program Files\BellSouth\FastAccessConnectionAgent\fastacc.sho
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.sho
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.sho
C:\Hijackthis\HijackThis.sho

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MFCR.exe] C:\WINNT\system32\MFCR.exe
O4 - HKLM\..\Run: [MFCP.exe] C:\WINNT\system32\MFCP.exe /port:7351 /pass:MeMePassSho
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {0B105630-3B1F-11D1-B443-00A0244D2920} (WebTreeCtrl Class) - http://rzn:81/cfxIE/download/WebTreeFX.cab
O16 - DPF: {156731E1-D652-11D1-BE03-00A0C9111212} (ATLSBNCheck Class) - http://msdn.microsoft.com/downloads/samples/internet/sbncheck.cab
O16 - DPF: {173E11BE-6803-11D2-81A3-00104B62BDDA} (WebBarFX Class) - http://rzn:81/cfxIE/download/WebBarFX.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://visionone/mstscax.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://rzn/download/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://espn.walker.com/ProjectCentral/objects/1033/pjcintl.cab
O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://espn.walker.com/ProjectCentral/objects/pjclient.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/MCP/tools/MCPTranscriptPrint.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.microsoft.com/tsinternet/tsweb/msrdp.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://elevon.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD97BD0-CC85-4249-BAB9-D20AA2F9760C}: NameServer = 127.0.0.1,10.10.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6754D72-D75A-4508-B27E-14741D438EBB}: NameServer = 205.152.37.23 205.152.144.23
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: dllhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: nvscv - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: scvhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: syslock - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Tools\Analyzer\varpc.exe (file missing)




Thanks in advance,

regards,
Raj

In regards to the programs you deleted and they keep coming back: Boot up in safe mode and run adaware and avg. These files are imbedded in your hard drive and may need to manually be deleted but for now try the safe mode boot and run the programs. Then reboot in normal mode and see if they still exist. Post a new log when done.

Also, Go here (http://housecall.trendmicro.com/) to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) scan at Panda as well.

Hello,

I just wanted to inform that I am working on the suggestions that both of you made. It is just that it is taking time with work and all and that each scan taking time.

I have completed adaware and AVG scans in safe mode.
Adware reported some traking cookies and I had them deleted
AVG reported a file called ShohdiBrink2_MFC.exe and deleted it. But it came back again (C:\Winnt).

I ran PandA active scan last night and saved the report. I started the scan one more time before I left for work this morning.

I will run Housecall once I get home in the evening. Then I will post all the reports from PandA, Housecall and HTJ log.

Your time is most definitely appreciated.

Thanks
Raj

Hello,

Greetings. I think I have finally finished all the steps suggested by you guys.

I have reported the results of Adaware and AVG scans in my previous reply.
Just to confirm, I have performed the above scans in safe mode

Here are the rest of the results:

Housecall.trendmicro.com Scan:
Did not find anything

PandA software scan report:
1st run:
Incident Status Location

Adware:Adware Program No disinfected C:\WINNT\Downloaded Program Files\ieatgpc.inf
Virus:Bck/Digarix.A Disinfected C:\WINNT\system32\rmtcfg\files\copy\do.bat
Virus:Bck/Digarix.A Disinfected C:\WINNT\system32\rmtcfg\files\do.bat
Virus:W32/Gaobot.batch Disinfected C:\WINNT\Temp\r.bat
2nd run:
Incident Status Location

Adware:Adware Program No disinfected C:\WINNT\Downloaded Program Files\ieatgpc.inf

Finally the HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:30:37 PM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.sho
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\srvany.exe
C:\winnt\system32\Shared\dllhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.sho
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinPortrait\wpctrl.sho
C:\Program Files\Spybot - Search & Destroy\TeaTimer.sho
C:\Program Files\MSN Messenger\msnmsgr.sho
C:\Program Files\WinPortrait\floater.sho
C:\Program Files\BellSouth\FastAccessConnectionAgent\fastacc.exe
C:\Hijackthis\HijackThis.sho

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = micron.walker.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MFCR.exe] C:\WINNT\system32\MFCR.exe
O4 - HKLM\..\Run: [MFCP.exe] C:\WINNT\system32\MFCP.exe /port:7351 /pass:MeMePassSho
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {0B105630-3B1F-11D1-B443-00A0244D2920} (WebTreeCtrl Class) - http://rzn:81/cfxIE/download/WebTreeFX.cab
O16 - DPF: {156731E1-D652-11D1-BE03-00A0C9111212} (ATLSBNCheck Class) - http://msdn.microsoft.com/downloads/samples/internet/sbncheck.cab
O16 - DPF: {173E11BE-6803-11D2-81A3-00104B62BDDA} (WebBarFX Class) - http://rzn:81/cfxIE/download/WebBarFX.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://visionone/mstscax.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://rzn/download/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://espn.walker.com/ProjectCentral/objects/1033/pjcintl.cab
O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://espn.walker.com/ProjectCentral/objects/pjclient.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/MCP/tools/MCPTranscriptPrint.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.microsoft.com/tsinternet/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://elevon.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD97BD0-CC85-4249-BAB9-D20AA2F9760C}: NameServer = 127.0.0.1,10.10.10.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: dllhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: nvscv - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: scvhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: syslock - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Tools\Analyzer\varpc.exe (file missing)

Once again, I appreciate your time and help,

Thanks
Raj

Please disable Spybot's Tea-Timer before proceeding or it will interfere with the following fixes. You should be able to right click on the icon in the system tray and select exit, or similar.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Tools\Analyzer\varpc.exe (file missing)

Then go to www.blackviper.com and there you can find what startups can safely be disabled or set to manual startup. This will free up a lot of resources for you :).

Hello,

Greetings :)

I performed the steps given above by Crunchie including disabling a bunch of startup services given at Blackviper.com. I am posting HTJ log below after the steps. If I may, I would like to to bring to your attention the registry entry related to MFCP.exe

O4 - HKLM\..\Run: [MFCP.exe] C:\WINNT\system32\MFCP.exe /port:7351 /pass:MeMePassSho

Is this a normal thing?

Also, my original problem i.e the fact that each time I reboot, a different program seems to leak memory (only from a fixed set of Exe's, I believe) is still present.

HTJ LOG

Logfile of HijackThis v1.99.1
Scan saved at 8:16:45 AM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MFCR.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinPortrait\wpctrl.sho
C:\PROGRA~1\Grisoft\AVG7\avgcc.sho
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.sho
C:\Program Files\MSN Messenger\msnmsgr.sho
C:\WINNT\System32\svchost.exe
C:\Program Files\WinPortrait\floater.sho
C:\Hijackthis\HijackThis.sho

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MFCR.exe] C:\WINNT\system32\MFCR.exe
O4 - HKLM\..\Run: [MFCP.exe] C:\WINNT\system32\MFCP.exe /port:7351 /pass:MeMePassSho
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {0B105630-3B1F-11D1-B443-00A0244D2920} (WebTreeCtrl Class) - http://rzn:81/cfxIE/download/WebTreeFX.cab
O16 - DPF: {156731E1-D652-11D1-BE03-00A0C9111212} (ATLSBNCheck Class) - http://msdn.microsoft.com/downloads/samples/internet/sbncheck.cab
O16 - DPF: {173E11BE-6803-11D2-81A3-00104B62BDDA} (WebBarFX Class) - http://rzn:81/cfxIE/download/WebBarFX.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://visionone/mstscax.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://rzn/download/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://espn.walker.com/ProjectCentral/objects/1033/pjcintl.cab
O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://espn.walker.com/ProjectCentral/objects/pjclient.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/MCP/tools/MCPTranscriptPrint.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.microsoft.com/tsinternet/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://elevon.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD97BD0-CC85-4249-BAB9-D20AA2F9760C}: NameServer = 127.0.0.1,10.10.10.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.elevon.cc
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Thank you for all the help. Your time is appreciated

THanks again,
Raj

I assumed it had something to do with the app on this page; http://www.turtleblast.com/en/isocommfaq.php

If you are concerned about that file and this one; C:\WINNT\system32\MFCR.exe, upload them for a scan.

http://virusscan.jotti.dhs.org/

Hello and Greetings :),

I have uploaded those two files to http:Virusscan.jotti.org (this is the new URL). The scan did not find any problem with these files. but following on the same thought I got one of the EXEs that seems to leak memory on my machine to be scanned at the above URL. Most of the anti-virus software tools reported no problem except two. One of them is Dr.Web and it reported a Trojnan.ExeBundle 22 infection on this file. I forget the name of the other anti-virus software tool. So I got the free trial version of Dr.Web and ran it on my machine. THis scan reported a whole bunch of Exes (approximately 150) affected with Trojan.ExeBundle 22. When I ask Dr.Web to cure this, all it can do is to delete the file. I was wondering if there is any better way that you can suggest w.r.t to curing this infection. I mean, this Trojan even infected Adaware exe and Spybot exe(they did not detect this Trojan). Interestingly Microsoft's anti-spyware tool did not get affected but it does not detect it either.

Hope you will be able to give me some help as to what could be an appropriate next step for me.

Thnak you and regards,

Raj

If the files cannot be cleaned, the only option I know is to then delete it :(.
You can try the AV that I use and see if it can help you. It is free and updates almost every day. It has the ability to clean files, but I do not know if it will help you.
Once installed, make sure to update the definitions before scanning.

http://www.free-av.com/

Hello and greetings:),

Sorry it took me so long to come back. I eventually went with Dr.Web and had it delete all the Exes that got infected. It proved to be a pain to restore all of them back. But I installed all of them back. My system is now is healthy, I believe. I also believe I have my system well protected now. Thank you for all your help and all that you guys do for us.

Thanks again,
Raj

You are welcome rajnemani1.