PLEASE HELP! I was at another help forum with this problem before finding Bleeping Computer. They helped me all they could, but it wasn't enough. I still have the problem, so I'm starting fresh with you guys.

Anyway, I'm running Win2000 and my computer keeps re-booting during a scan with any/all of the following anti-virus/spyware programs (It's also running REALLY slow):

* AVG (computer boots up with this one)
* Ad-Aware
* McAfee
* NoAdware
* SpyBot
* BitDefender

I'm able to download the updates for all the above. Internet works as well as all other applications.

I also have KillBox which appears to function, HijackThis and CWShredder which work and I'm able to get logs from those.

According to the previous help forum I visited, the HJT log looks clean.

NOTE: No viruses/spyware are found by the programs prior to the re-boot. I shut off the auto-reboot, so I get a 'blue screen' error message.

Just prior to logging on to this site I attempted a manual scan with AVG. Here's a fresh blue screen error message I wrote out by hand when the scan was interrupted:

"*** STOP: 0x0000001E (0xC0000005,0xF7298459,0x00000000,0x007C8EF2)
KMODE_EXCEPTION_NOT_HANDLED

***Address F7298459 base at F7298000, DateStamp 42068a5e - vdmt16.sys

Beginning dump of physical memory
Physical memory dump complete. Contact your system administrator or technical support group."

The other forum seemed to think the problem was with vdmt16.sys being associated with Backdoor/Haxdoor/Horseserver.net. That's as far as they could help me.

I did find the information about Horseserver on your Security/Spyware & Malware Self-Help and Reading Room forum. There were registry keys in your topic that weren't in my registry, and others I couldn't remove. Therefore, I still have this pest on my machine.

What would you like me to do next?

Any assistance is GREATLY appreciated!

What operating system are you?

I'm running Windows 2000.

You have a Horseserver infection which requires some tools to get rid of.

• First, download HSFix from here
• After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
• Next, download CleanUp! Install it, but do not run it yet.
• Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  HJT items here
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Restart your computer into normal mode and run at least one of the following free, online virus scans:
  http://housecall.trendmicro.com/housecall/start_corp.asp
  http://www.pandasoftware.com/activescan/co...n_principal.htm
  http://www3.ca.com/threatinfo/virusinfo/scan.aspx
• Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

Grinler,

Sorry it took so long. I've been working on your solution since last night. The scans took longer than I thought they would. (I ran all 3 you suggested).

As you requested, 3 logs are pasted below in this order: HJT Pre-Scan, HS log and HJT Post-Scan:

Logfile of HijackThis v1.98.2
Scan saved at 7:46:06 PM, on 2/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NoAdware3\NoAdware3.exe
C:\Program Files\Naviscope\naviscope.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe"
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

-------

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
klo5
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
klo5.sys
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

---------------

Logfile of HijackThis v1.98.2
Scan saved at 11:17:34 AM, on 2/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NoAdware3\NoAdware3.exe
C:\Program Files\Naviscope\naviscope.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe"
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Everything's working great ! YOU ROCK !!

Fix this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe"

Can you do a full scan with avg now?

Hi Grinler !

I fixed the 2 items in HJT...new log pasted below. Yes, AVG and all other applications are working great ! Once again, YOU ROCK ! THANKS !

As a sidebar, I know I'm supposed to go to another discussion board for this (which I will do shortly), but I wanted the opinion of a tech person. What do you think of the new XP Pro x64 Edition? I'm shopping around for a new PC and the sales guy I talked to yesterday said I should wait for it to come out, rather than get a system with XP Pro now, as I'm going to be getting into radio-control plane flight sims. R/C flight sims are more high-end than Microsoft flight sim. The sales guy has been using the beta version, and said he's had no problems with it. The reason I'm asking is that I get a more than a little nervous about buying Microsoft products in an early version.

HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 5:28:59 AM, on 2/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Naviscope\naviscope.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Its nice to have the 64bit, but there is hardly any software that really takes advantage of it. May be better off in waiting for now

Log looks clean...great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Renable system restore with instructions from tutorial above
   
   
2. Delete Temp Files
   
   To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
   
   This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.
   
   
3. Delete Temporary Internet Files
   
   Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.
   
   
4. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
5. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
6. Commercial Spyware Removal/Protection Programs - If you feel more comfortable installing a commercial Spyware removal program then we recommend WebRoot's Spysweeper or Lavasoft's Ad-Aware Professional. There are many commercial products on the market, but unfortunately most are misleading and substandard. Both of the products we recommend here are proven to be excellent products and a worthy addition to the arsenal of software protecting your computer.
   
   Spysweeper Product Information
   Ad-Aware Pro Production Information
   
   
7. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
8. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
9. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
10. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
    
    For a tutorial on Firewalls and a listing of some available ones see the link below:
    
    Understanding and Using Firewalls
    
    
11. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    
    
12. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    
    A tutorial on installing & using this product can be found here:
    
    Using SpywareBlaster to protect your computer from Spyware and Malware
    
    
13. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Grinler,

I'll be using your info to keep my computer clean.

Thanks !