System crashed Troj/Ana-01???

[lalabugu]

  Well I am back again! Just when I thought it was safe.
Winxp sp1, avast 4 pro 0444-3 AVDS10/29/04
Previously my system logs showed current installation of updates and then I found that they lied. They were downloaded but never installed correctly onto system. So I have been suseptable to every oogly-boogly in the net. My win sp2 stilll wont install and after the crash two days ago this is the first i have been able to get on the net. I lost alot of my programs and personal docs this time.
Trend media : BKDR_HACDEF. D  aka  A backdoor/hijacker.
attached is the HJT log and a shredder log also that says I have everything from peer-peer to parasites. KeenValue being a huge issue along with ITForum.
This is the umpteenth time I am trying to rid myself of them. A problem that I havent been able to resolve at all is the fact that I have winsp2 and other security updates waiting to be installed and I stilll am unable to. Gets up to  98% and the Fatal system error pops up and shuts me down. Also my I am denied access to the anti-virus chest and running resident tasks on my system with avast. Whats the deal? Any guesses? I am all ears.
Install error reads:kernel32.dll  file is not a MS windows application. Error for virus chest and resident task is : RPS cache error. Unable to intitiate.
I also noticed that parasites are piggy backing my ssyem processes in my task manager and there are all kinds of activities that I have never seen before.
ie: HPZSTC04.EXE, RUNDLL32.EXE, DLLHOST.EXE, catalog.wci, conscorr.exe(previously w/ Troj-gen(vc)) EXPLORER.EXE(2x), iexplorer.exe(2x), WISPTIS.EXE, SVCHOST.EXE(5x), TASKMGR.EXE, LOCATOR.EXE, wuauclt.exe(2x), cidaemon(2x), SETUP.OVR, LOGONUI.EXE and the list goes on with others I cant figure out. Please help me. Thanks again for all your previous efforts whocares and eddy. this one has been a doozy.
need rest in the west, lalabugu

[lalabugu]

here is a copy of my shredder log that I ran.
Lots of crap I dont understand/ I ran about 3 other scans if you need any other info just let me know. I am on 24/7. I have cable and will get the notification instantly. Thanks

**** Run Keys ****

RUN: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
RUN: [SpeedOptimizer] D:\MISCTO~1\SPEEDO~1\SPO.EXE -s  
RUN: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
RUN: [Windows Registry Repair Pro] C:\Program Files\Online Services\Windows Registry Repair Pro\RegistryRepairPro.exe 4
RUN: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo


 **** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


 **** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx


 **** IE Extensions ****



 **** Hosts File Entries ****

HOSTS:  entry should be kept on an individual line. The IP address should


 **** IE Settings ****

IEProxy: http=localhost:4444
IEBypass: <local>
Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Local Page: C:\WINDOWS\System32\blank.htm
Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch


 **** IE Context Menu (Right click) ****

IEContext: [AdSubtract: Bypass Site] res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
IEContext: [AdSubtract: Cloak Image] res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
IEContext: [AdSubtract: Report Site] res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
IEContext: [web rebates] res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359


 **** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F639194C-E598-4915-BABC-6C88899ED14A}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F639194C-E598-4915-BABC-6C88899ED14A}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F83D360-F353-487E-AB8B-BD928B426F08}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F83D360-F353-487E-AB8B-BD928B426F08}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A002CF76-B0BA-46AB-89DF-C1DB95A946BC}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A002CF76-B0BA-46AB-89DF-C1DB95A946BC}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6111F55-7C57-4197-BFB1-5C7ED7734B9E}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B6111F55-7C57-4197-BFB1-5C7ED7734B9E}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6DC916DA-A06D-46B5-98ED-2F8F39B37481}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6DC916DA-A06D-46B5-98ED-2F8F39B37481}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BC65DB2-6656-4953-92F1-CDCEAEF902B7}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BC65DB2-6656-4953-92F1-CDCEAEF902B7}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{586CA17A-D3F6-42B9-872C-0D7D42E169E7}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{586CA17A-D3F6-42B9-872C-0D7D42E169E7}] DATAGRAM 4


 **** Blocked Control Panel Items ****

BLOCKED: [joy.cpl] YES
BLOCKED: [sapi.cpl] YES
BLOCKED: [access.cpl] YES
BLOCKED: [intl.cpl] YES
BLOCKED: [powercfg.cpl] YES


 **** Downloaded Program Files ****

{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} [http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1098239765313] C:\WINDOWS\System32\mssecadv.dll
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38284.3089930556] C:\WINDOWS\System32\iuctl.dll
{A8658086-E6AC-4957-BC8E-8D54A7E8A790} [http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]


 **** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


 **** Complete IE Options ****

IEOPT: [NoUpdateCheck]  
IEOPT: [NoJITSetup]  
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] hover
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]  
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.yahoo.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Expand Alt Text] yes
IEOPT: [Move System Caret] yes
IEOPT: [NscSingleExpand]  
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [NoWebJITSetup]  
IEOPT: [Page_Transitions]  
IEOPT: [FavIntelliMenus] yes
IEOPT: [Enable Browser Extensions] yes
IEOPT: [UseThemes]  
IEOPT: [Force Offscreen Composition]  
IEOPT: [AllowWindowReuse]  
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]  
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] no
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] no
IEOPT: [Show image placeholders]  
IEOPT: [Print_Background] no
IEOPT: [Use Search Asst] no
IEOPT: [Check_Associations] no
IEOPT: [Use FormSuggest] yes
IEOPT: [AddToFavoritesExpanded]  
IEOPT: [Save Directory] C:\Documents and Settings\Kelley\Desktop\
IEOPT: [FavoritesExportFile] C:\Documents and Settings\Kelley\My Documents\New Briefcase\my personal docs\bookmark.htm
IEOPT: [FavoritesImportFolder] C:\Documents and Settings\Kelley\Favorites
IEOPT: [LastCheckedHi] Y¤Ä
ocuments and Settings\Kelley\Favorites
IEOPT: [FormSuggest Passwords] no
IEOPT: [FormSuggest PW Ask] yes
IEOPT: [FavChevron] NO
IEOPT: [HistoryViewType]  
IEOPT: [Use Custom Search URL]  
IEOPT: [AutoSearch]  
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]  
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]  
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]  
IEOPT: [Placeholder_Height]  
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
IEOPT: [Check_Associations] yes
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO

[whocares]

Hi,

- please try again posting here a hijackthis-Log for diagnosis: -> http://tomcoyote.org
if you can't access this, please use board-search or google for alternative DL-possibilites, or transfer it from another PC

- your reports would be better readably if you only posted actual problem/malware findings: again, full malwarename & location(path/folder/filename) would be necessary

[EDIT] I see you yourself posted the TrendMicro-Link for info on HakDef .. -> Why not try & follow the instructions again.. ?
[/EDIT]

But, considering your previous postings, and with all the holes & problems on your machine..:
I'd advise Backup, Format C: and a proper reinstal -> see "VirusRemoval" below for procedures

[lalabugu]

ok...so here is the latest HJT log.

Logfile of HijackThis v1.98.0
Scan saved at 4:27:27 PM, on 10/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC04.EXE
C:\Program Files\AdSpytrack\AdSubtract\AdSub.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\WLAN\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\viral killers\SpySubTract\SpySub.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\viral killers\hijackthis.log\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:4444
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: entry should be kept on an individual line. The IP address should
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedOptimizer] D:\MISCTO~1\SPEEDO~1\SPO.EXE -s
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\Online Services\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: SpySubtract.lnk = D:\viral killers\SpySubTract\SpySub.exe
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

 I think Maybe I should just wipe the system and start over. Its a mess and I have already tried to remove half this stuff about 4 times now again.  I just want to make sure that I dont lose any of my Programs and installs. How do I go about making a backup of all this stuff and Not transfering anything that will carry the virus with it. I dont know how thats done. Can you point me in the right direction. I downloaded most of my programs and the ones I bought off the shelf I dont have most of the disks anymore. Thats alot of money in software that I cant afford to replace. I am about to cry. At least  a couple grand. Thankis for your advise whocares. )
suddenly sad in cali, lalabugu