Infected - but I can't find it...

Hi.

Obviously there is something on my pc, which should not be there.

Symptoms; Internet access - browsing and online games - misbehave.
Google search hit links ends up in strange sites, CounterStrike's steam.exe doesn't show up, World of Warcraft can't verify installed version etc.

• Win XP SP2, all hotfixes. McAfee Enterprise fully updated.
• McAfee Full Scan is clean.
• Trend online scan is clean
• Spybot is almost clean, found a few tracking cookies
• Ad-Aware scan is clean.

Here is the Hijack log:

****************************************************

Logfile of HijackThis v1.99.1
Scan saved at 00:16:41, on 16-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Public\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\Software\..\Telephony: DomainName = spss.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{C827D7CA-8A52-4F65-8973-B52C8B1BA1E8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4B2E299-6E12-4851-8064-593D92D6AF93}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF7BDD58-6E06-4143-A0FE-1B22E59C2F18}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

****************************************************

Please advice.

 

Hi J

Welcome to the best the WindowsBBS!

Do you have and have you ran SpyBot and AdAware?

Well there is a lot of programs listed but nothing really suspious except the many svchost entries and the many TCPIP parameters entries. Possible because of the amount and type programs you have installed. If you have anything it may be a RootKit. We will get to that but first!

Lets start with a laxative and ennema!

ATF-Cleaner http://www.atribune.org/content/view/25/2/
when run check select all run twice or more until nothing else found

CCleaner get the slim version http://www.ccleaner.com/download/builds.aspx
Click bottom right Run Cleaner twice
then in left panel click issues then below Scan for issues run twice or until no more found

Clean all user profiles at once.

http://ezpcfix.net/download.aspx?dlo...x-1-0-0-16.exe

http://ezpcfix.net/download.aspx?dlo...-16/Plugin.inf

The above need to be downloaded and need no install but need to be put togather in the same folder.

So download them create a folder I recommend Program Files\EzPcFix and run them from there.

This seems to be a simple and basic program at first but I advise you not tinker with too many of it's other features unless you know what you are doing. As it has some extremely powerful features but looks so harmless.

Here are the steps:

1. Run the program
2. Click Load Hives
3. Double click Delete temp files
4. Select the optional check boxes if you want
5. If you Checked _Restore /System Volume information\_Restore then you should create a new restore point via System Restore.
6. I usually close the Hives before exit
Even better run in Safe Mode.
==========================================================

Download install and run
http://www.xblock.com/download/xclean_micro.exe

This is an advanced cleaner that goes after (not everything) but only the worst most prolific and damaging malware and some viri.

Delete ALL it finds no exceptions, if after cleaning an incident, it advises a reboot, say no during the process, but do so when the program ends before continuing with next step below.

Many finds with this program, then reboot to Safe Mode and run it again. I use this as preclean before SpyBot and AdAware.

Then do the following:

Start-Run
type
cmd

copy and paste or type each of the following to the command prompt

netsh interface ip delete arpcache

ipconfig /flushdns

ipconfig /release *

ipconfig /renew *

ipconfig /registerdns

nbtstat -RR

Reboot

Test out for issues you mentioned

Report back results

Mike

 

J

Hope I didn't scare you away.

Didn't mean for this to be the fix.

But only to clean the slate some before doing a specialized deeper MalWare search/clean.

The only Malware clean we used here was XClean_micro.

So what was the rusults with it?

And do you have SpyBot AdAware?

If so update and run if not get:

Hitman Pro
http://majorgeeks.com/downloadget.ph...9bc670c92f6694

It installs SpyBot & AdAware plus others in a tweaked out mode to do indepth scans.

If you already have SpyBot & AdAware then they should be uninstalled before installing HitMan!

Mike

 

Hej Mike
Thank you for offering your assistance.

No, i am not scared , have been to sleep since I am situated in Denmark.

I already ran checks with updated spybot and Ad-aware (from lavasoft).

I will start following your instructions from your first reply, and post a new HJT log when I also have completed dual runs of the scanners in safe mode, but I have to do some paid work :-( now, so do not expect new replies for the next 10 hours or so.

Best regards

Jens

 

xclean-micro is now clean as well are the other tools, all in normal mode as well as in safe mode.

Here is the hjt log:

*********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 21:40:46, on 16-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Public\AntiSpyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\Software\..\Telephony: DomainName = spss.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{C827D7CA-8A52-4F65-8973-B52C8B1BA1E8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4B2E299-6E12-4851-8064-593D92D6AF93}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF7BDD58-6E06-4143-A0FE-1B22E59C2F18}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

********************************************************


Meanwhile, I uninstalled spybot and adaware, installed and ran hitman.
Hitman was however run in no fix mode; as you hadn't instructed me to run it ,but ewido found multiple occurencies of trojan.dnschanger.hg in memory as well as 1 file which i have deleted and emptied recycle bin.

The symptom persists; World of warcraft is disturbed and steam.exe (from counterstrike ) doesn't show it's gui, but is sent to a hidden window.
When I shutdown, windows complains about this hidden window.

While I wait for your reply, I will run ewido again, just to check if the trojan is still in memory ( after a reboot)

Thanks

 

Hi Jens

After you finish your scans before you do the below let me know the results of last Ewido.


Do the following
http://downloads.subratam.org/Fixwareout.exe

Double click on Fixwareout.exe to install

Run
then
check fixit
when asks
then click finish

follow the prompts
When prompted, reboot your computer
It will finish the fix on booting back up will take some time
Post the log that opens to us

Then

Run HJT
Do system scan only, check all of the below and then click fix Checked

May take longer than usual to boot
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\Software\..\Telephony: DomainName = spss.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{C827D7CA-8A52-4F65-8973-B52C8B1BA1E8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4B2E299-6E12-4851-8064-593D92D6AF93}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF7BDD58-6E06-4143-A0FE-1B22E59C2F18}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\..\{12A9EB5B-56DB-43A4-BAD6-284DA3D3EF82}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
========================================

Then

Download
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract to your Desktop
then Boot to Safe mode

Open SmitfraudFix Dbl click smitfraudfix.cmd

Choose #2 - Clean and press Enter

Will take a while

If it reports process.exe, it is OK, false positive.

When done,
reboot to normal
browse to c:\ and open rapport.txt file

Copy and Paste to us.

Then Reboot

Mike

 

Jens

When finished with above, Hitman in full repair mode.

Then let us hope the final HJT log.

Mike

 

hitman report before fixwareout

Hitman Pro 2.5.5.3 - Report
16-01-2007 21:50


Setup files external protection and inspection components
STATUS
DESCRIPTION
VERSION
SIZE

Recent
Archive Extraction Utility
0.0.0.0
307276 bytes

Recent
RAR decompression library
3.41.0.306
158720 bytes

Recent
Archive Compression Utility
0.0.0.0
276044 bytes

Recent
File Encryption/Decryption Utility
0.0.0.0
69708 bytes

Recent
Ewido AntiSpyware Micro Scanner
4.0.0.1
153144 bytes

Updates
Recent
Hitman Pro Updater
2.5.5.3
489816 bytes

STATUS
DESCRIPTION

SIZE

Recent
Hitman Pro uninstaller

545392 bytes

Recent
SurfRight Launcher

749771 bytes

Recent
SurfRight Helper

534872 bytes

System protection and immunization
Windows Security Update concerning WMF Vulnerability (KB912919)
System is protected against WMF Exploit

Cumulative Security Update for Internet Explorer (KB912812)
With this update your system is protected against several exploits.
For more information visit this Microsoft Security Bulletin: MS06-013

Adobe Flash Player 9 ActiveX control upgrade
ActiveX control is current (no upgrade needed) (9.0.28.0)

Security Update KB925486 (Vulnerability in Vector Markup Language)
This update addresses the vulnerability discussed in Microsoft Security Bulletin MS06-055

Messenger service disabled
The Messenger service can be abused to send ads and spam to computers in a network. Microsoft also released security updates to repair vulnerabilities in the Messenger service; attackers where able to run code through the Messenger service on unpatched systems. Note that the Messenger service has nothing to do with MSN Messenger en Windows Messenger.

Install on Demand has been disabled
When Install on Demand enabled, a Web page can download items to display the page properly, or perform a particular task. Web sites can abuse Installation on demand to install spyware. Note that when you disable Install on Demand you will no longer be prompted to download missing Language Pack components (for Web pages that require, for example, Japanese-text display support).

Trust level of zone Internet is set to Normal (Current User)

Trust level of zone Internet is set to Normal (All Users)

The trust level the Internet Zone should at least be set to Normal. This default setting causes Internet Explorer to prompt the user whenever potentially unsafe content is ready to download.

SpywareBlaster protection applied
Blocks the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted ActiveX-based software. With Internet Explorer 6 and Mozilla/Firefox, it also blocks cookies that may be used to track your activities, build a profile about your habits, collect information, or uniquely identify you to advertisers.
SpywareBlaster is freeware for personal and educational use. For more information visit http://www.javacoolsoftware.com/spywareblaster.html

Ewido Micro
00:57:51
ewido anti-malware offers you realtime protection against Hijackers and Spyware, Worms, Dialers, Trojans and Keyloggers. Click here for more information.

Downloader.Zlob.bir

Disk Cleanup
Cleaned
C:\Documents and Settings\jbrejner

Cleaned
C:\WINDOWS\Temp

Cleared
8 MB

Disk Cleanup clears folders with temporary Windows and Internet Files. Over time these folders can contain a lot of files, occupying a lot of disk space. This space could normally be used for documents and programs. Clearing the temporary folders is also an advantage for Hitman Pro because it will shorten inspection time of Ad-aware, Spy Sweeper and Spybot S&D. Also, the inspection programs will find fewer traces of spyware because potential spyware installation files are already wiped by Disk Cleanup.

This report is generated by Hitman Pro, created by Mark Loman
Support the resistance against spyware and make a small donation; see the link Donate on the website www.hitmanpro.com

 

Fixwareout report

Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdabk.exe will be moved to C:\WINDOWS\temp\kdabk.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
One or more CON code pages invalid for given keyboard code

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system "=" "
»»»»»


Continuing with next tool

 

SmitFraud Report

Hi Mike.

I'll start hitman in Full Fix now, and let the box enjoy itself for at couple of hours while I sleep , will post HJT and Hitman reports tomorrow, but things are looking better, steam for instance, doesn't hide anymore.

*********************************************************


SmitFraudFix v2.132

Scan done at 0:24:44.81, Wed 01/17/2007
Run from C:\SmitFraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

******************************************************

Best regards and thank you very much for your help.

Jens

 

Ok good time to stop.

You had some bad ones.

let it run while you sleep.

Post results from Hitman and new HJT when you wake.

But if Hitman was not running in safe mode then leave it running in safe mode when you go to work.

Then post back results tomorrow after work.

Have good sleep.

I think we are close to finished.

Mike

 

Hitman is still checking for updates, I will boot into safe and run in safe mode instead then.

 

Great!

Sleep well.

Mike

 

Hitman report and HJT

Hello Mike.

Hitman completed in safe mode, found

GoZilla

Backdoor.Hupigon.GEN

Trojan.DNS Changer


Report below:

Hitman Pro 2.5.5.3 - Report
17-01-2007 00:59

Unable to communicate with the Hitman Pro servers on internet...

System protection and immunization
Windows Security Update concerning WMF Vulnerability (KB912919)
System is protected against WMF Exploit

Cumulative Security Update for Internet Explorer (KB912812)
With this update your system is protected against several exploits.
For more information visit this Microsoft Security Bulletin: MS06-013

Adobe Flash Player 9 ActiveX control upgrade
ActiveX control is current (no upgrade needed) (9.0.28.0)

Security Update KB925486 (Vulnerability in Vector Markup Language)
This update addresses the vulnerability discussed in Microsoft Security Bulletin MS06-055

Messenger service disabled
The Messenger service can be abused to send ads and spam to computers in a network. Microsoft also released security updates to repair vulnerabilities in the Messenger service; attackers where able to run code through the Messenger service on unpatched systems. Note that the Messenger service has nothing to do with MSN Messenger en Windows Messenger.

Install on Demand has been disabled
When Install on Demand enabled, a Web page can download items to display the page properly, or perform a particular task. Web sites can abuse Installation on demand to install spyware. Note that when you disable Install on Demand you will no longer be prompted to download missing Language Pack components (for Web pages that require, for example, Japanese-text display support).

Trust level of zone Internet is set to Normal (Current User)

Trust level of zone Internet is set to Normal (All Users)

The trust level the Internet Zone should at least be set to Normal. This default setting causes Internet Explorer to prompt the user whenever potentially unsafe content is ready to download.

SpywareBlaster protection applied
Blocks the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted ActiveX-based software. With Internet Explorer 6 and Mozilla/Firefox, it also blocks cookies that may be used to track your activities, build a profile about your habits, collect information, or uniquely identify you to advertisers.
SpywareBlaster is freeware for personal and educational use. For more information visit http://www.javacoolsoftware.com/spywareblaster.html

Ad-Aware SE Personal, free for private use.
00:19:23
1.06r1 SE1R47 24.05.2005
Ad-Aware Personal provides advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components.
Ad-Aware did not encouter spyware on your system

Spybot - Search & Destroy
00:18:51
Version 1.4 (Build 2005-05-23) Latest detection update: 2007-01-12
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer (removal of adware, spyware, dialers, keyloggers, usage tracks, trojans and other baddies). Spybot S&D is also capable of blocking threatening ActiveX downloads (supplementing SpywareBlaster) to protect your system against spyware.

PC Tools Spyware Doctor
00:39:49
Version 4.0.0.2621 Database 3.06421
Spyware Doctor is a top-rated malware & spyware removal utility that detects and removes your PC from thousands of potential spyware, adware, trojans, keyloggers, spybots and tracking threats. For more information visit http://www.pctools.com/spyware-doctor/


GoZilla


Backdoor.Hupigon.GEN


Trojan.DNS Changer

Spyware Doctor found 232 threats since 1/16/2007


Disk Cleanup
Cleaned
C:\Documents and Settings\jbrejner

Cleaned
C:\Documents and Settings\Administrator

Cleaned
C:\WINDOWS\Temp

Cleared
19 MB

Disk Cleanup clears folders with temporary Windows and Internet Files. Over time these folders can contain a lot of files, occupying a lot of disk space. This space could normally be used for documents and programs. Clearing the temporary folders is also an advantage for Hitman Pro because it will shorten inspection time of Ad-aware, Spy Sweeper and Spybot S&D. Also, the inspection programs will find fewer traces of spyware because potential spyware installation files are already wiped by Disk Cleanup.

This report is generated by Hitman Pro, created by Mark Loman
Support the resistance against spyware and make a small donation; see the link Donate on the website www.hitmanpro.com

*******************************************************

Current HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 07:50:24, on 17-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
D:\Public\AntiSpyware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\Software\..\Telephony: DomainName = spss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spss.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

Best regards
Jens

 

Hi Jens

I was hoping this last pass with Hitman in safe mode would do it, but no!

This has been a bear to fight. But as I see all the many and complex programs you have installed I guess it is worth it. It would be very hard to rebuild if we had to reinstall.

We are now going to hit it with pure Virus cleaners an a couple more tools.

Update your own Virus scanner and do a full scan in safe mode when we go there below.

Download the protective host file
http://www.mvps.org/winhelp2002/hosts.zip

make a folder named MVP move zip there and extract zip

Run mvps.bat and accept prompts

Download the below but run them in safe mode

Download Dr. Web Cure-it:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Gdata Remover
http://www.gdata.pl/~szczepionki/eng/download/remover.exe

Then boot back to full mode and run the below

Bitdefender online
http://www.bitdefender.com/scan8/ie.html

Panda Active scan
http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

Give report on results of these different runs.


Mike

 

OK, will do.
i'll report back later.
Sighh ! That machine is so old and slow, really looking forward to buy it's replacement...

 

Completed all scans apart from Panda.
All scans are clean, but Panda has an asp page error (non supported property or method), so I can not run it.

I will try a hitman run, it was ewido that detected the trojan

 

Hi Jens

Good idea on Hitman again since it was the one that detected it.

On the slowness you mention. When we finish the cleanup we can tackle that and perhaps make some improvments.

For sure now you should do a chkdsk c: /r when we feel we are through with this viri/malware fix.

One of the things you can do is go thoughtfully thru the Add/Remove and un-install old things you don't use and may have forgotten about.

So once we finish the cleanup we will work on speed and performance.

Ok if the Hitman comes up clean (I hope.. I hope....) then give me an idea of how many of the original symptoms are gone.

Mike

 

Hi Mike.

I finally had some time to make the runs, things are looking better and the orignial symptoms are gone.

Hitman is Clean, i'll paste the log below.
I will also paste in the latest HJT log.

I am still unable to run Panda's online scan, I am unable to tell if it is their page & ActiveX which is faulty or if is caused my machine.

I want to keep what is in my installed programs, I use it (and I am aware of cleaning the list of programs)

Disk fragmentation looks good too, I use Execsofts Disckeeper.
I will run a chkdsk /f /r at my earliest convienience.

I have removed all program from my list of programs in ZoneAlarm Firewall, so it will ask me again.

One issue has arisen.
File association with .txt files is weird:
Double clicking a txt file creates an error message

Here comes Hitman Report:
******************************************************
Hitman Pro 2.5.5.3 - Report
19-01-2007 17:35

Setup files external protection and inspection components
STATUS
DESCRIPTION
VERSION
SIZE
Recent
Archive Extraction Utility
0.0.0.0
307276 bytes
Recent
RAR decompression library
3.41.0.306
158720 bytes
Recent
Archive Compression Utility
0.0.0.0
276044 bytes
Recent
File Encryption/Decryption Utility
0.0.0.0
69708 bytes
Recent
Trend Micro CWShredder
2.19.0.1099
532480 bytes
Recent
Ewido AntiSpyware Micro Scanner
4.0.0.1
153144 bytes
Updates
Recent
Hitman Pro Updater
2.5.5.3
489816 bytes
STATUS
DESCRIPTION

SIZE
Recent
Hitman Pro uninstaller

545392 bytes
Recent
SurfRight Launcher

749771 bytes
Recent
SurfRight Helper

534872 bytes
Recent
Trend Micro Sysclean Package

3326665 bytes
Updated
Trend Micro Virus Pattern File

16148969 bytes
Updated
Lavasoft Ad-Aware SE Definitions
0.0.0.0
937830 bytes
System protection and immunization
Windows Security Update concerning WMF Vulnerability (KB912919)
System is protected against WMF Exploit
Cumulative Security Update for Internet Explorer (KB912812)
With this update your system is protected against several exploits.
For more information visit this Microsoft Security Bulletin: MS06-013
Adobe Flash Player 9 ActiveX control upgrade
ActiveX control is current (no upgrade needed) (9.0.28.0)
Security Update KB925486 (Vulnerability in Vector Markup Language)
This update addresses the vulnerability discussed in Microsoft Security Bulletin MS06-055
Messenger service disabled
The Messenger service can be abused to send ads and spam to computers in a network. Microsoft also released security updates to repair vulnerabilities in the Messenger service; attackers where able to run code through the Messenger service on unpatched systems. Note that the Messenger service has nothing to do with MSN Messenger en Windows Messenger.
Install on Demand has been disabled
When Install on Demand enabled, a Web page can download items to display the page properly, or perform a particular task. Web sites can abuse Installation on demand to install spyware. Note that when you disable Install on Demand you will no longer be prompted to download missing Language Pack components (for Web pages that require, for example, Japanese-text display support).
Trust level of zone Internet is set to Normal (Current User)
Trust level of zone Internet is set to Normal (All Users)
The trust level the Internet Zone should at least be set to Normal. This default setting causes Internet Explorer to prompt the user whenever potentially unsafe content is ready to download.
SpywareBlaster protection applied
Blocks the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted ActiveX-based software. With Internet Explorer 6 and Mozilla/Firefox, it also blocks cookies that may be used to track your activities, build a profile about your habits, collect information, or uniquely identify you to advertisers.
SpywareBlaster is freeware for personal and educational use. For more information visit http://www.javacoolsoftware.com/spywareblaster.html
Trend Micro Sysclean Package
01:10:22
This antivirus scanner inspects your local files for viruses, worms and Trojans. Infected files are (when possible) either cleaned or eliminated so they don't cause any damage.
This antivirus does not offer active (realtime) protection against viruses, worms and Trojans. You should install an active antivirus product in case you do not have this protection yet.
Damage Cleanup Engine (DCE) 3.98 (Build 1012)Damage Cleanup Template (DCT) 830Virus pattern version 197 (151800 patterns) (2007/01/19) Trend Micro Sysclean did not encounter viruses or spyware on your system
Ad-Aware SE Personal, free for private use.
00:02:52
1.06r1 SE1R145 17.01.2007
Ad-Aware Personal provides advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components.

Windows
Spybot - Search & Destroy
00:36:29
Version 1.4 (Build 2005-05-23) Latest detection update: 2007-01-12
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer (removal of adware, spyware, dialers, keyloggers, usage tracks, trojans and other baddies). Spybot S&D is also capable of blocking threatening ActiveX downloads (supplementing SpywareBlaster) to protect your system against spyware.

Ewido Micro
00:59:37
ewido anti-malware offers you realtime protection against Hijackers and Spyware, Worms, Dialers, Trojans and Keyloggers. Click here for more information.
Ewido Micro did not encouter spyware on your system

Disk Cleanup
Cleaned
C:\Documents and Settings\Administrator
Cleaned
C:\Documents and Settings\jbrejner
Cleaned
C:\WINDOWS\Temp
Cleared
29 MB
Disk Cleanup clears folders with temporary Windows and Internet Files. Over time these folders can contain a lot of files, occupying a lot of disk space. This space could normally be used for documents and programs. Clearing the temporary folders is also an advantage for Hitman Pro because it will shorten inspection time of Ad-aware, Spy Sweeper and Spybot S&D. Also, the inspection programs will find fewer traces of spyware because potential spyware installation files are already wiped by Disk Cleanup.
This report is generated by Hitman Pro, created by Mark Loman
Support the resistance against spyware and make a small donation; see the link Donate on the website www.hitmanpro.com


******************************************************

And the HJT report

******************************************************

Logfile of HijackThis v1.99.1
Scan saved at 22:43:38, on 19-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
D:\Public\AntiSpyware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\Software\..\Telephony: DomainName = spss.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spss.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spss.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

******************************************************

 

Great Jens

HJT is clean!!!!!

To fix the txt file. Browse to one but don't open it. Rt Clk properties look for opens with if wordpad is not on the list browse to it and choose it and be sure to check the Always use.

Get Startup Control panel and get better control of things that start up on boot.

http://www.mlin.net/files/StartupCPL_EXE.zip

ERUNT
Let it do a registy backup every time you boot.
Use the registry optimizer.

http://www.majorgeeks.com/downloadget.php?id=1267&file=9&evp=72a324c1d2c33a2b43a2853ad7ecc6a3

Since we gave your computer an Enema and Laxative we have created a lot of holes (fragmentation) in both the file system and registry.

So defrag/optimize both the disk and registry.

Visit windows update.com

Look at http://www.autopatcher.com
If you do this get the Nov full, Dec and Jan updates. Install the full but cancel the run untill you have both updates installed then run it.

Look at this http://wiki.djlizard.net/Dial-a-fix
You especially might consider it since you had some things that may have unregistered some dll's etc. It is very safe. One good thing I have found is that if it complains that a file is missing it gives you the name so you can get the file put back.

Questions? Just call!


Mike