I'm pretty confused right now. I'm working on a family computer that I was told was having problems and I can't seem to figure this one out. Perhaps someone could lend assistance. This computer lacks AV Software and the user also has children running MSN Messenger (bad sign to begin with). A strange email came through and the user opened it. Nothing bad has happened, however, after running checks on it myself I came to realize that first of all, I couldn't access any major AV webpages (Nortan, McAfee, etc), to use their online virus scanners. Secondly, the computer simply won't allow me to use the "run" command in the start menu to access "msconfig" or "regedit." I ended up downloading Ad-Aware to run checks along with a third party AV program called Avast? I personally hadn't heard of it, but after running, it had detected several files infected with W32:Beagle.BH and the AdAware caught about 40 or so infected files including some tracking cookies and Cydoor. I accessed the Host File located in C:\Windows\System32\drivers\blah and cleared out everything after my local host settings. This enabled me to access NAV's webpage and I ran their virus detection, but it only found 3 adware infections and no major viral infections. To play it safe, I turned off System Restore and I downloaded the W32:Beagle removal tool and ran it anyway, but no detections were found. Strange I thought... So, I assumed that perhaps the problems were resolved. I was wrong. Today, I booted the computer to find myself still blocked from using the "run" command. Also, this "Avast" AV program is now detecting tons of random "suspicious emails" trying to leave the system. When the email client is open, these warnings come up at a rate of almost 1 per minute. I ran NAV again and still no detections were found. I ran AdAware and no more infected files were found. I'm quite confused and boggled by this. I'm almost to the point of just transfering all the required data off this hard drive and vaping it for the sake of the owners. I can't seem to come up with any other solutions and just wanted to know what anyone from this forum thought. Thanks for any input.

BluDev25, See if the info at the link below is of any help (possibly a trojan file named NETSTATT.EXE?) Why does Task Manager, MSCONFIG, or REGEDIT disappear while opening? Tufenuf

www.housecall.antivirus.com

turn of system restore temporarly, try starting in safe mode(f8), empty temp folder, check msconfig for virus-related startup files run virus scan again, also run adaware scan, if run command not working> then goto: windows and >system32 folder directly, or system information> tools

Personally, when I get one that really stumps me: Remove their hard drive, slave it and put it in one that you KNOW has a solid AV package. Do a scan from that system and see what you find. Considering you will not be booting to their HD, anything on it will lay dormant, but detectable. Done it many, many times, quite safe. _________________________ The internet is no longer a toy, it's a COMBAT ZONE!

Hello Tufenuf and EC, Thanks for your replies. I will comment on the suggestions you made momentarily, but I've got news, and I'm not sure if I should consider it bad news or just another step in solving the issue. I noticed today that after the system is rebooted and the internet connects that an error message appears claiming "Generic Host Process for Win32 Services has encountered a ploblem and needs to close." After I click ok, a small icon appears in the system tray to the bottom right hand side. It almost appears to be a small blue bell or siren placed in front of scattered envelopes. When I run the mouse cursor over the emblem, it flashes up randome IP and web addresses in a continuous mannor as if its randomly connecting to places. While this occurs, this AVAST AV software I am using keeps informing me that suspicious emails are attempting to leave this computer. Of course I cancel the actions, but this occurs in handfuls and becomes rather annoying. Even after I close the email client, somehow it still attempts to send stuff. Now, in regards to EC, while this icon appeared in my system tray, I ran the virus detection software from Trend Micro at the housecall address you gave me. Those random quirks about suspicious email trying to leave the system even popped up DURING the virus scan, however, no viruses were located. Immediately following this, I ran my Ad-Aware program and the only thing that came up was a giant list of Tracking Cookies, Type: IE Cache Entry, Catagory: Data Miner. I'm not entirely positive on what this means, but I can't help but to wonder if these are linked to this icon that runs after the Win32 error occurs. In regards to Tufenuf, I went to the website you recommended and used a program there to rename my "msconfig" and "regedit" files. After doing so, they did operate, however, no NETSTATT.exe files were seen running. I also got myself a copy of the HiJackThis program and ran it while the icon was in my system tray. This is a copy of it: Logfile of HijackThis v1.99.1 Scan saved at 11:49:32 PM, on 4/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\runservice.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\InetCntrl\InetCntrl.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Documents and Settings\Kelly Family\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [keydrv.exe] C:\WINDOWS\system32\winsystems.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe I'm still working on this issue. Part of me has given up the idea of just vaping the hard drive. I'm really intent of finding the solution of the problem. Leaving business unfinished just isn't how I usually operate, so I most likely won't be sleeping much until I can figure this one out. Any more help is greatly appreciated!

This line in your HT log is the Bagel Worm: O4 - HKCU\..\Run: [keydrv.exe] C:\WINDOWS\system32\winsystems.exe First reboot the computer to Safe Mode. Go to start>control panel>folder optioins>view>check the circle beside "show hidden files and folders">apply>ok. Go to C:\WINDOWS\system32\winsystems.exe and delete the file. Purge System Restore Rerun the trindmicro scan. Re-enable system restore and re-hide the system files.