HijackThis log

I wasn't sure whether this was the right category to post this thread... here's hoping someone can tell me whats happening with my system.

I have IE6 windows appear briefly on the taskbar, but not visible on the screen, it takes forever to sign into the internet (on BB) after a reboot, and generally performance has diminished. Following somebody elses advice on previous posts I have downloaded and run HiJackThis, here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 10:35:46, on 20/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\oracle\ora92\bin\omtsreco.exe
D:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
D:\oracle\ora92\bin\dbsnmp.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
d:\oracle\ora92\bin\ORACLE.EXE
d:\oracle\ora92\bin\ORACLE.EXE
d:\oracle\ora92\bin\ORACLE.EXE
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\KbdAp32A.exe
C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\lwbwheel.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\loadkk.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\xpijdf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toolbar.google.com/done
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\lwbwheel.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44 "
O4 - HKLM\..\Run: [KK Loader] C:\WINDOWS\System32\loadkk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [nmohwmbvgivhx] C:\WINDOWS\System32\xpijdf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {4BF4CDBA-0DFC-442B-ACB4-936D73EB774A} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {8D1D56B0-7DAE-4781-9347-7B9E97634594} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.2awm.com/file/promax1.chm::/on-line.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FAEC160-507D-4651-AAF1-F294643AD356}: NameServer = 194.74.65.86 194.72.9.55

Cheers.

 

Do this 1st (below) and post back HIJ log this will save time.

 

In addition to doing the updated Spybot and Ad-aware scans, open CWShredder, close ALL other windows and click fix. Reboot, then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.
Reboot again and scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

What are these programs?

C:\WINDOWS\System32\loadkk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\xpijdf.exe
C:\WINDOWS\System32\ctfmon.exe

Becareful of programs that are running that are located in System32. Alot of times you might think of them accually being programs that windows need to run when this is not true.

Do this as well, boot up in Safe mode and do another HackThis! Log. Make a comparison of the 2 to see what is running and what is not. Thats all i can give u for the time being.

NeoSpawn

ps: The newest Spybot as a feature for the boot up, look in there for any suspicious looking programs that wants to boot up.

 

C:\WINDOWS\System32\loadkk.exe
KeyKey XP Professional from KeyKey.com. "Monitor Instant Messages, Chats, Emails, Web Site URLs, Passwords, Computer Programs, Start Up and Shut Down time and much more completely undetected to the user." Mixed reviews as to spyware/adware contents or completely legit.

C:\WINDOWS\System32\wuauclt.exe
Windows Update AutoUpdate Client if running from \system32. Probably virus if running from elsewhere. Background process responsible for updates to Windows. Whenever you connect to the Internet, Wuauclt checks the Microsoft web site for updates to Windows.

C:\WINDOWS\System32\ctfmon.exe
A service that handles the Alternative User Input Text Processor (TIP) and the Microsoft Office Language Bar. It provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

C:\WINDOWS\System32\xpijdf.exe
No idea and possibly dropped on the system by a baddie unless twistedwheel knows what program it belongs to.

 

O4 - HKLM\..\Run: [nmohwmbvgivhx] C:\WINDOWS\System32\xpijdf.exe

nmohwmbvgivhx Never seen a program with that random name. Definately a baddie, and probably a trojan. xpijdf.exe needs to be stopped from running via task manager and deleted, and the entry fixed with HJT, if it remains after doing the suggested scans with Spybot and Ad-aware. There may be more, so do post a new log when done.