win32:trojano...need help

[MikeM118]

Avast! Antivirus SW tells me I have the Win32:Trojano-131 in a file called c:\windows\temp\randreco.exe.  I delete the file, but the virus always comes back within a day or so.  So far I have tried...

1) turned off system restore
2) let Avast delete randreco.exe
2) deleted the file myself
3) deleted all files in c:\windows\temp and c:\windows\Temporary Internet Files
4) deleted all instances of 'randreco' from my registry
5) ran adaware and deleted bad files
6) ran Spybot Search and Destroy
7) ran hijackthis (log below)

I am running Windows ME (please, no chuckles).

Can anyone tell me what else I can do?  This thing just keeps coming back every day.  I have read several of the other posts regarding win32:trojano viruses which is where I got the idea for most of the things I tried above. But I'm still stuck.  I would greatly appreciate any help!!!

Hijack this log...

Logfile of HijackThis v1.98.0
Scan saved at 9:47:51 PM, on 8/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VOICEIP.DLL
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\SYSTEM\Rscmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

[softwareguy]

Here's a good site for you to go:
http://hijackthis.de/index.php?langselect=english

Good Luck!

[Eddy]

Here is the result of the freeware HTJ log analyzer I created:
================================================================================
ANALYZER INFORMATION
================================================================================
bad.dat  version : 10
good.dat version : 10
rec.dat  version : 3
dasb.dat version : 1
sus.dat  version : 1


================================================================================
VERSION INFORMATION
================================================================================

================================================================================
GENERAL INFORMATION
================================================================================
All items in the log file which are not shown here
as to be deleted or safe to keep need to be investigated.

This website has a link to a tutorial on the hijackthislog:
http://members.home.nl/acred/cleaning.htm

Also use www.google.com to find out more on items not listed here.


================================================================================
THESE ITEMS SHOULD BE REMOVED:
================================================================================
r1 - hklm\software\microsoft\internet explorer\main,customizesearch = res://c:\progra~1\toolbar\toolbar.dll/sa
r0 - hklm\software\microsoft\internet explorer\search,customizesearch = res://c:\progra~1\toolbar\toolbar.dll/sa
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
r3 - default urlsearchhook is missing
o2 - bho: voiceipobj class - {00000250-0320-4dd4-be4f-7566d2314352} - c:\windows\voiceip.dll
o2 - bho: (no name) - software - (no file)
o3 - toolbar: (no name) - {339bb23f-a864-48c0-a59f-29ea915965ec} - (no file)
o9 - extra button: translate - {06fe5d05-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&lc=0409 (file missing)
o9 - extra 'tools' menuitem: av &translate - {06fe5d05-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&lc=0409 (file missing)
o9 - extra button: (no name) - {06fe5d02-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&lc=0409 (file missing)
o9 - extra 'tools' menuitem: &find pages linking to this url - {06fe5d02-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&lc=0409 (file missing)
o9 - extra button: (no name) - {06fe5d03-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&lc=0409 (file missing)
o9 - extra 'tools' menuitem: find other pages on this &host - {06fe5d03-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&lc=0409 (file missing)
o9 - extra button: (no name) - {06fe5d04-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&lc=0409 (file missing)
o9 - extra 'tools' menuitem: av live - {06fe5d04-8f11-11d2-804f-00105a133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&lc=0409 (file missing)
o16 - dpf: {df6a0f17-0b1e-11d4-829d-00c04f6843fe} (microsoft office tools on the web control) - http://dgl.microsoft.com/downloads/outc.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/quicktimeinstaller.exe


================================================================================
THESE ITEMS ARE SAFE TO KEEP:
================================================================================
\windows\system\kernel32.dll
\windows\system\msgsrv32.exe
\windows\system\mmtask.tsk
\windows\system\mprexe.exe
\windows\system\mstask.exe
\windows\system\stimon.exe
\program files\alwil software\avast4\ashserv.exe
\windows\explorer.exe
\windows\taskmon.exe
\windows\system\systray.exe
\windows\system\restore\stmgr.exe
\windows\system\rpcss.exe
\program files\compaq\easy access button support\cpqeadm.exe
\compaq\cpqinet\cpqinet.exe
\program files\analog devices\soundmax\smtray.exe
\windows\system\spool32.exe
\windows\system\wmiexe.exe
\windows\system\lexbces.exe
\program files\compaq\easy access button support\bttnserv.exe
\program files\compaq\easy access button support\eausbkbd.exe
\program files\internet explorer\iexplore.exe
r1 - hkcu\software\microsoft\internet explorer\main,default_page_url = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&lc=0409
r1 - hklm\software\microsoft\internet explorer\main,searchassistant = about:blank
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&lc=0409
r0 - hklm\software\microsoft\internet explorer\search,searchassistant =
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyserver = http=proxy-server:8080;https=proxy-server:8080
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyoverride = ams-server*;
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system\msdxm.ocx
o4 - hklm\..\run: [scanregistry] c:\windows\scanregw.exe /autorun
o4 - hklm\..\run: [taskmonitor] c:\windows\taskmon.exe
o4 - hklm\..\run: [pchealth] c:\windows\pchealth\support\pchschd.exe -s
o4 - hklm\..\run: [systemtray] systray.exe
o4 - hklm\..\run: [loadpowerprofile] rundll32.exe powrprof.dll,loadcurrentpwrscheme
o4 - hklm\..\run: [cpqeasyacc] c:\program files\compaq\easy access button support\cpqeadm.exe
o4 - hklm\..\run: [eaclean] c:\program files\compaq\easy access button support\eaclean.exe
o4 - hklm\..\run: [cpqinet] c:\compaq\cpqinet\cpqinet.exe
o4 - hklm\..\run: [lexstart] lexstart.exe
o4 - hklm\..\run: [lexmarkprintray] printray.exe
o4 - hklm\..\run: [rscmpt] c:\windows\system\rscmpt.exe
o4 - hklm\..\run: [nvcpldaemon] rundll32.exe c:\windows\system\nvcpl.dll,nvstartup
o4 - hklm\..\run: [nwiz] nwiz.exe /install
o4 - hklm\..\run: [smapp] c:\program files\analog devices\soundmax\smtray.exe
o4 - hklm\..\run: [quicktime task] "c:\windows\system\qttask.exe" -atboottime
o4 - hklm\..\runservices: [loadpowerprofile] rundll32.exe powrprof.dll,loadcurrentpwrscheme
o4 - hklm\..\runservices: [schedulingagent] mstask.exe
o4 - hklm\..\runservices: [*statemgr] c:\windows\system\restore\statemgr.exe
o4 - hklm\..\runservices: [stillimagemonitor] c:\windows\system\stimon.exe
o4 - hklm\..\runservices: [avast!] c:\program files\alwil software\avast4\ashserv.exe
o9 - extra button: real.com - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - c:\windows\system\shdocvw.dll
o12 - plugin for .spop: c:\progra~1\intern~1\plugins\npdocbox.dll
o14 - iereset.inf: start_page_url=http://www.rr.com
o21 - ssodl: auhook - {bcbcd383-3e06-11d3-91a9-00c04f68105c} - c:\windows\system\auhook.dll