Please assist with HJT log

... My cousin's son PC.
I have cleaned it from hundreds of trojans, spyware etc. but it still behaves a bit weird. As soon as this PC is connected to the LAN, other PC's starts to have problems reaching the internet.
I am imagining that there is still some malware left and this malware calls out to the internet, and a massive number of connection attempts to or from the infected PC is flooding our gateway.

For cleaning I have used CCleaner, Superantispyware, McAfee AV, Spybot, and combofix.

Here is the latest HiJackThis Log, but I am not sure what to look for.

Logfile of HijackThis v1.99.1
Scan saved at 17:46:27, on 11-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Executive Software\Diskeeper\DkService.exe
C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\Mcshield.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ps2.exe
C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Logitech\QuickCam10\QuickCam10.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Steam\Steam.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\MSI\Bluetooth Software\BTTray.exe
C:\Programmer\Fælles filer\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\HP_Ejer\Skrivebord\nocrap tools\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmer\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Programmer\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Ejer\Menuen Start\Programmer\IMVU\Run IMVU.lnk
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176997916328
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\Programmer\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Ati HotKey Poller AtiMcShield (AtiMcShield) - Unknown owner - C:\WINDOWS\system32\advpack.dllw.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmer\Executive Software\Diskeeper\DkService.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: FFI - Unknown owner - C:\WINDOWS\system32\svchost.exe:exm.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmer\Fælles filer\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi jbrej
I'm not seeing anything.
You're using a out of date HJT, please download this one and post the log.

Is he using imesh.com?


Download a copy of HijackThis installer from here and save it to your Desktop.

1. Save HJTInstall.exe to your desktop.
2. Double-click on the HJTintall.exe icon on your desktop.
   (Let it install to the default location C:\Program Files\Hijackthis)
3. Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
4. Put a check by Create a desktop icon and then click Next again.
5. Continue to follow the rest of the prompts from there.
6. At the final dialogue box click Finish and it will launch HijackThis.
7. Click on the Do a system scan and save a log file button.
   (It will scan and the log should open in Notepad.)
8. Click on "Edit" > "Select All" to higlight the entire Notepad contents.
9. Then click on "Edit" > "Copy ".
10. Come back here to this thread and Paste the log in your next reply.
    (Right-click in the message body field and select "Paste ".)

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable. Most of what HijackThis finds will be harmless or even required.

Thanks
Geri

 

new log

Hi Geri.
Thanks for picking up this thread.
Here is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:11, on 13-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Executive Software\Diskeeper\DkService.exe
C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\Mcshield.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ps2.exe
C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Logitech\QuickCam10\QuickCam10.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\MSI\Bluetooth Software\BTTray.exe
C:\Programmer\Fælles filer\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmer\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Programmer\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Ejer\Menuen Start\Programmer\IMVU\Run IMVU.lnk
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176997916328
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Ati HotKey Poller AtiMcShield (AtiMcShield) - Unknown owner - C:\WINDOWS\system32\advpack.dllw.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmer\Executive Software\Diskeeper\DkService.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: FFI - Unknown owner - C:\WINDOWS\system32\svchost.exe:exm.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmer\Fælles filer\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9832 bytes

Best regards

Jens

 

Hi

OK please do this.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please post the SDFix log and a new HJT log.

Is he using imesh.com?

Thanks
Geri

 

SDFix done

Hi Geri.
I am not sure if he uses imesh.
There is a iMeshV7.exe on his desktop, I guess it is the installer, but I don't see any Program Files\imesh or an imesh entry in his Add-Remove programs.

Here is the SDFix Report:

SDFix: Version 1.142

Run by HP_Ejer on 14-02-2008 at 22:53

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
astq
CcEvtSvc
FCI
FFI
khtml
msupdate
protect
smtpdrv
ztx86

Path:
\??\C:\WINDOWS\system32\drivers\astq.tga
%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\WINDOWS\system32\svchost.exe:exm.exe
\??\C:\WINDOWS\system32\drivers\khtml.sys
c:\windows\system32\msvcrtd.exe
System32\drivers\protect.sys
System32\DRIVERS\smtpdrv.sys
\??\C:\WINDOWS\system32\ztx86.sys

astq - Deleted
CcEvtSvc - Deleted
FCI - Deleted
FFI - Deleted
khtml - Deleted
msupdate - Deleted
protect - Deleted
smtpdrv - Deleted
ztx86 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\-19422~1 - Deleted
C:\WINDOWS\system32\acespy\systune.exe - Deleted
C:\WINDOWS\system32\acespy\__acelog.ndx - Deleted
C:\WINDOWS\acontidialer.txt - Deleted
C:\WINDOWS\adbar.dll - Deleted
C:\WINDOWS\cbinst$.exe - Deleted
C:\WINDOWS\daxtime.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\dp0.dll - Deleted
C:\WINDOWS\eventlowg.dll - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\jd2002.dll - Deleted
C:\WINDOWS\kkcomp$.exe - Deleted
C:\WINDOWS\liqad$.exe - Deleted
C:\WINDOWS\ngd.dll - Deleted
C:\WINDOWS\spredirect.dll - Deleted
C:\WINDOWS\system32\adult.txt - Deleted
C:\WINDOWS\system32\finance.txt - Deleted
C:\WINDOWS\system32\lt.res - Deleted
C:\WINDOWS\system32\other.txt - Deleted
C:\WINDOWS\system32\pharma.txt - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\vxddsk.exe - Deleted
C:\WINDOWS\system32\wml.exe - Deleted
C:\WINDOWS\vxddsk.exe - Deleted
C:\WINDOWS\wml.exe - Deleted
C:\WINDOWS\xxxvideo.exe - Deleted
C:\WINDOWS\system32\drivers\astq.tga - Deleted
C:\WINDOWS\system32\drivers\khtml.sys - Deleted
C:\WINDOWS\system32\ztx86.sys - Deleted



Folder C:\Programmer\Dot1XCfg - Removed
Folder C:\Programmer\Helper - Removed
Folder C:\Programmer\Temporary - Removed
Folder C:\WINDOWS\system32\acespy - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 23:20:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Programmer\\Ubi Soft\\IL-2 Sturmovik Forgotten Battles\\il2fb.exe "= "C:\\Programmer\\Ubi Soft\\IL-2 Sturmovik Forgotten Battles\\il2fb.exe:*isabled:il2fb "
"C:\\Programmer\\Messenger\\msmsgs.exe "= "C:\\Programmer\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\Programmer\\EA GAMES\\Battlefield 1942\\BF1942.exe "= "C:\\Programmer\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942 "
"C:\\Programmer\\THQ\\Dawn Of War\\W40k.exe "= "C:\\Programmer\\THQ\\Dawn Of War\\W40k.exe:*:Enabled:W40k "
"C:\\Programmer\\Call of Duty Game of the Year Edition\\CoDMP.exe "= "C:\\Programmer\\Call of Duty Game of the Year Edition\\CoDMP.exe:*isabled:CoDMP "
"C:\\Programmer\\Warcraft III\\Warcraft III.exe "= "C:\\Programmer\\Warcraft III\\Warcraft III.exe:*isabled:Warcraft III "
"C:\\Programmer\\THQ\\Dawn Of War\\W40kWA.exe "= "C:\\Programmer\\THQ\\Dawn Of War\\W40kWA.exe:*isabled:W40kWA "
"C:\\Programmer\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe "= "C:\\Programmer\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe:*isabled:bfvietnam "
"C:\\Programmer\\GameSpy Arcade\\Aphex.exe "= "C:\\Programmer\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade "
"C:\\UnrealTournament\\System\\UnrealTournament.exe "= "C:\\UnrealTournament\\System\\UnrealTournament.exe:*isabled:UnrealTournament "
"C:\\WINDOWS\\system32\\rundll32.exe "= "C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:K›r en DLL som et program "
"C:\\WINDOWS\\system32\\mmc.exe "= "C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console "
"C:\\Programmer\\EA GAMES\\Battlefield 2\\BF2.exe "= "C:\\Programmer\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2 "
"C:\\Programmer\\Microsoft Games\\Rise of Nations\\rise.exe "= "C:\\Programmer\\Microsoft Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations "
"C:\\Programmer\\Steam\\SteamApps\\daniel13dk\\counter-strike source\\hl2.exe "= "C:\\Programmer\\Steam\\SteamApps\\daniel13dk\\counter-strike source\\hl2.exe:*:Enabled:hl2 "
"C:\\WINDOWS\\system32\\rtcshare.exe "= "C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC-programdeling "
"C:\\Programmer\\MSN Messenger\\msncall.exe "= "C:\\Programmer\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"C:\\Programmer\\Network Associates\\Common Framework\\FrameworkService.exe "= "C:\\Programmer\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:Framework Service "
"C:\\Programmer\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\0DURCHUN\\Flying_Mount_PC_EG-downloader[1].exe "= "C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\0DURCHUN\\Flying_Mount_PC_EG-downloader[1].exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\Microsoft Games\\Rise Of Legends\\legends.exe "= "C:\\Programmer\\Microsoft Games\\Rise Of Legends\\legends.exe:*:Enabled:Rise Of Legends "
"C:\\Programmer\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\Electronic Arts\\Need for Speed Carbon\\NFSC.exe "= "C:\\Programmer\\Electronic Arts\\Need for Speed Carbon\\NFSC.exe:*:Enabled:NFSC "
"C:\\Programmer\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe "= "C:\\Programmer\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:EnabledarkCrusade "
"C:\\Programmer\\Electronic Arts\\Battlefield 2142\\BF2142.exe "= "C:\\Programmer\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2 "
"C:\\Programmer\\iTunes\\iTunes.exe "= "C:\\Programmer\\iTunes\\iTunes.exe:*:Enabled:iTunes "
"C:\\Programmer\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\WINDOWS\\system32\\dpvsetup.exe "= "C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test "
"C:\\Programmer\\BearShare Applications\\BearShare\\BearShare.exe "= "C:\\Programmer\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Programmer\\MSN Messenger\\msnmsgr.exe "= "C:\\Programmer\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Programmer\\MSN Messenger\\livecall.exe "= "C:\\Programmer\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\Programmer\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\World of Warcraft\\WoW-1.10.0-enGB-downloader.exe "= "C:\\Programmer\\World of Warcraft\\WoW-1.10.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Programmer\\World of Warcraft\\BackgroundDownloader.exe "= "C:\\Programmer\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Documents and Settings\\HP_Ejer\\Skrivebord\\WoW-1.11.2.5464-to-0.12.0.5496-enGB-downloader.exe "= "C:\\Documents and Settings\\HP_Ejer\\Skrivebord\\WoW-1.11.2.5464-to-0.12.0.5496-enGB-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\YJGXCH2N\\AhnQiraj_GB_English-downloader[1].exe "= "C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\YJGXCH2N\\AhnQiraj_GB_English-downloader[1].exe:*:Enabled:Blizzard Downloader "
"C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\4P0Z69QF\\WOWEx_Blizcon-downloader[1].exe "= "C:\\Documents and Settings\\HP_Ejer\\Lokale indstillinger\\Temporary Internet Files\\Content.IE5\\4P0Z69QF\\WOWEx_Blizcon-downloader[1].exe:*:Enabled:Blizzard Downloader "
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe "= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Fjernsupport - Windows Messenger og samtale "
"C:\\Programmer\\iMesh Applications\\iMesh\\iMesh.exe "= "C:\\Programmer\\iMesh Applications\\iMesh\\iMesh.exe:*:Enabled:iMesh "
"C:\\Programmer\\Skype\\Phone\\Skype.exe "= "C:\\Programmer\\Skype\\Phone\\Skype.exe:*:Enabled:Skype "
"C:\\Programmer\\uTorrent\\uTorrent.exe "= "C:\\Programmer\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent "
"C:\\DOCUME~1\\HP_Ejer\\LOKALE~1\\Temp\\services.exe "= "C:\\DOCUME~1\\HP_Ejer\\LOKALE~1\\Temp\\services.exe:*:Enabled:Flash Player2 "
"C:\\Documents and Settings\\HP_Ejer\\pysoml.exe "= "C:\\Documents and Settings\\HP_Ejer\\pysoml.exe:*:Enabled:Windows Service "
"C:\\Documents and Settings\\HP_Ejer\\tgfoka.exe "= "C:\\Documents and Settings\\HP_Ejer\\tgfoka.exe:*:Enabled:Windows Service "
"C:\\Documents and Settings\\HP_Ejer\\mdvort.exe "= "C:\\Documents and Settings\\HP_Ejer\\mdvort.exe:*:Enabled:Windows Service "
"C:\\WINDOWS\\system32\\svchost.exe "= "C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost "
"C:\\Documents and Settings\\HP_Ejer\\vutcwu.exe "= "C:\\Documents and Settings\\HP_Ejer\\vutcwu.exe:*:Enabled:Windows Service "
"C:\\Programmer\\Steam\\SteamApps\\danielthewolf\\counter-strike source\\hl2.exe "= "C:\\Programmer\\Steam\\SteamApps\\danielthewolf\\counter-strike source\\hl2.exe:*isabled:hl2 "
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"%ProgramFiles%\\iTunes\\iTunes.exe "= "%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes "
"C:\\Programmer\\MSN Messenger\\msncall.exe "= "C:\\Programmer\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Programmer\\MSN Messenger\\msnmsgr.exe "= "C:\\Programmer\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Programmer\\MSN Messenger\\livecall.exe "= "C:\\Programmer\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 7 Sep 2005 213 A.SHR --- "C:\BOOT.BAK "
Wed 21 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak "
Mon 29 Aug 2005 121,240 A..HR --- "C:\Programmer\THQ\Dawn Of War\Disk1CheckW40k.EXE "
Fri 19 Aug 2005 121,237 A..HR --- "C:\Programmer\THQ\Dawn Of War\Disk1Check.EXE "
Sat 10 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp "
Thu 14 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT6.tmp "
Wed 6 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT3.tmp "
Thu 14 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT5.tmp "
Thu 14 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT4.tmp "
Wed 21 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\HP_Ejer\Dokumenter\Musik\Sikkerhedskopiering af licenser\drmv1key.bak "
Thu 21 Dec 2006 20 A..H. --- "C:\Documents and Settings\HP_Ejer\Dokumenter\Musik\Sikkerhedskopiering af licenser\drmv1lic.bak "
Sun 25 Sep 2005 312 A.SH. --- "C:\Documents and Settings\HP_Ejer\Dokumenter\Musik\Sikkerhedskopiering af licenser\drmv2key.bak "

Finished!

And the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:56, on 14-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmer\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
C:\Programmer\Executive Software\Diskeeper\DkService.exe
C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
C:\Programmer\Network Associates\VirusScan\Mcshield.exe
C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ps2.exe
C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Logitech\QuickCam10\QuickCam10.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\MSI\Bluetooth Software\BTTray.exe
C:\Programmer\Fælles filer\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmer\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmer\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmer\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmer\Fælles filer\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmer\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Programmer\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Programmer\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Ejer\Menuen Start\Programmer\IMVU\Run IMVU.lnk
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176997916328
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Ati HotKey Poller AtiMcShield (AtiMcShield) - Unknown owner - C:\WINDOWS\system32\advpack.dllw.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmer\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmer\fælles filer\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmer\Fælles filer\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programmer\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmer\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9418 bytes


Thanks

Jens

 

Hi jbrej

Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
I strongly recommend removing any P2P applications.

You said you ran Combofix,

Please post the log it created.

Thanks
Geri

 

combofix log

Hi Geri.
You are absolutely right, p2p is an open invitation - i will uninstall whatever p2p pgms i can identify, and attempt to educate him (he is 15, so there is a lot of interessing stuff for him out there .

I have trouble identifying p2p suspects. Here is contents of his "program files" and programmer (danish). Do you see anything suspcious ?

******************************************
C:\>dir "Program Files" /b
3721
Accoona
akl
amsys
BlackIsle
e-zshopper
HP
Mp3 My Mp3 2.0
p2pnetworks
Seekmo Programs

and

C:\>dir Programmer /b
Activision
Adobe
AlienGUIse
Alwil Software
Apple Software Update
Atari
BearShare Applications
Call of Duty Game of the Year Edition
Canon
CCleaner
CleanMyPC
Common Files
ComPlus Applications
Diablo II
directx
DivX
EA GAMES
Easy Internet signup
Electronic Arts
Executive Software
FreeRIP2
Fælles filer
GameSpy Arcade
Google
Guild Wars
Hewlett-Packard
HighMAT CD Writing Wizard
Hijackthis
Hitman Pro
HP
HPQ
iMesh Applications
IMVU
ImvuTools2
Infogrames
Internet Explorer
InterVideo
iPod
iTunes
Java
Logitech
Managed DirectX (0901)
Messenger
Microsoft ActiveSync
Microsoft CAPICOM 2.1.0.2
microsoft frontpage
Microsoft Games
Microsoft Office
Microsoft Works
Microsoft.NET
Movie Maker
Mozilla Firefox
MSBuild
MSI
MSN Gaming Zone
MSN Messenger
MSXML 4.0
MSXML 6.0
NetMeeting
Network Associates
Onlinetjenester
Outlook Express
QuickTime
Realtek
Reference Assemblies
ScanSoft
Sierra
Skype
Sonic
Steam
SUPERAntiSpyware
Symantec
Teamspeak2_RC2
The Weather Channel FW
THQ
thriXXX
Trend Micro
Ubi Soft
Ubisoft
Warcraft III
Winamp
Windows Live Toolbar
Windows Media Connect 2
Windows Media Player
Windows NT
WinRAR
World of Warcraft
xerox
Xilisoft
Yahoo!
Zone Labs

******************************************

Anyway here is a fresh Combofix log:

Start Time= 15-02-2008 18:28:19,28

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-13 16:55:10 ( .D... ) "C:\Programmer\Trend Micro "
2008-02-10 20:01:04 ( .D... ) "C:\Programmer\MSXML 6.0 "
2008-02-10 19:54:42 ( .D... ) "C:\Programmer\MSBuild "
2008-02-10 19:45:50 ( .D... ) "C:\Programmer\Reference Assemblies "
2008-02-10 18:02:00 ( .D... ) "C:\Programmer\Zone Labs "
2008-02-09 19:28:12 ( .D... ) "C:\Documents and Settings\HP_Ejer\Application Data\SUPERAntiSpyware.com "
2008-02-09 19:27:28 ( .D... ) "C:\Programmer\F‘lles filer\Wise Installation Wizard "
2008-02-05 03:47:40 3508 ( A.... ) "C:\Start_.cmd "
2008-02-05 00:09:46 18214008 ( A.... ) "C:\WINDOWS\system32\MRT.exe "
2008-02-04 15:55:54 132 ( A.... ) "C:\tempdel.bat "
2008-02-04 15:28:44 ( .D... ) "C:\Programmer\Microsoft ActiveSync "
2008-02-04 15:27:52 ( .D... ) "C:\Programmer\F‘lles filer\DESIGNER "
2008-02-04 15:27:14 ( .D... ) "C:\Programmer\Microsoft.NET "
2008-02-04 11:19:58 ( .D... ) "C:\Programmer\CCleaner "
2008-02-03 07:46:46 14336 ( A.... ) "C:\WINDOWS\system32\svchost.exe "
2008-01-27 19:35:12 58368 ( A.... ) "C:\blhhjtpx.exe "
2008-01-18 16:47:56 ( .D... ) "C:\Documents and Settings\HP_Ejer\Application Data\Mozilla "
2008-01-18 16:47:22 ( .D... ) "C:\Programmer\Mozilla Firefox "
2008-01-13 14:33:38 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll "
2008-01-11 06:40:56 44544 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll "
2008-01-05 20:45:32 21840 ( A.... ) "C:\WINDOWS\system32\SIntfNT.dll "
2008-01-05 20:45:32 17212 ( A.... ) "C:\WINDOWS\system32\SIntf32.dll "
2008-01-05 20:45:32 12067 ( A.... ) "C:\WINDOWS\system32\SIntf16.dll "
2007-12-24 14:28:38 ( .D... ) "C:\Documents and Settings\HP_Ejer\Application Data\Soldat "
2007-12-19 23:54:34 347136 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll "
2007-12-08 06:13:44 3592192 ( A.... ) "C:\WINDOWS\system32\mshtml.dll "
2007-12-07 03:13:44 1159680 ( A.... ) "C:\WINDOWS\system32\urlmon.dll "
2007-12-07 03:13:44 824832 ( A.... ) "C:\WINDOWS\system32\wininet.dll "
2007-12-07 03:13:44 671232 ( A.... ) "C:\WINDOWS\system32\mstime.dll "
2007-12-07 03:13:44 478208 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll "
2007-12-07 03:13:44 233472 ( A.... ) "C:\WINDOWS\system32\webcheck.dll "
2007-12-07 03:13:44 193024 ( A.... ) "C:\WINDOWS\system32\msrating.dll "
2007-12-07 03:13:44 105984 ( A.... ) "C:\WINDOWS\system32\url.dll "
2007-12-07 03:13:44 102912 ( A.... ) "C:\WINDOWS\system32\occache.dll "
2007-12-07 03:13:42 6066176 ( A.... ) "C:\WINDOWS\system32\ieframe.dll "
2007-12-07 03:13:42 459264 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll "
2007-12-07 03:13:42 384512 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll "
2007-12-07 03:13:42 383488 ( A.... ) "C:\WINDOWS\system32\ieapfltr.dll "
2007-12-07 03:13:42 267776 ( A.... ) "C:\WINDOWS\system32\iertutil.dll "
2007-12-07 03:13:42 230400 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll "
2007-12-07 03:13:42 214528 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll "
2007-12-07 03:13:42 153088 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll "
2007-12-07 03:13:42 133120 ( A.... ) "C:\WINDOWS\system32\extmgr.dll "
2007-12-07 03:13:42 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll "
2007-12-07 03:13:42 63488 ( A.... ) "C:\WINDOWS\system32\icardie.dll "
2007-12-07 03:13:42 52224 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll "
2007-12-07 03:13:42 44544 ( A.... ) "C:\WINDOWS\system32\iernonce.dll "
2007-12-07 03:13:42 27648 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll "
2007-12-06 12:00:58 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe "
2007-12-06 11:59:30 70656 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe "
2007-12-06 05:59:52 161792 ( A.... ) "C:\WINDOWS\system32\ieakui.dll "
2007-12-04 19:41:04 550912 ( A.... ) "C:\WINDOWS\system32\oleaut32.dll "


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched "= "\ "C:\\Programmer\\Java\\jre1.6.0_03\\bin\\jusched.exe\" "
"Recguard "= "C:\\WINDOWS\\SMINST\\RECGUARD.EXE "
"PS2 "= "C:\\WINDOWS\\system32\\ps2.exe "
"OpwareSE2 "= "\ "C:\\Programmer\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\" "
"LSBWatcher "= "c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe "
"iTunesHelper "= "\ "C:\\Programmer\\iTunes\\iTunesHelper.exe\" "
"hpsysdrv "= "c:\\windows\\system\\hpsysdrv.exe "
"HPHUPD06 "= "c:\\Programmer\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe "
"HPHmon06 "= "C:\\WINDOWS\\system32\\hphmon06.exe "
"AlcxMonitor "= "ALCXMNTR.EXE "
"ShStatEXE "= "\ "C:\\Programmer\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE "
"McAfeeUpdaterUI "= "\ "C:\\Programmer\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey "
"QuickTime Task "= "\ "C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime "
"ZoneAlarm Client "= "\ "C:\\Programmer\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "
"LogitechCommunicationsManager "= "\ "C:\\Programmer\\Fælles filer\\LogiShrd\\LComMgr\\Communications_Helper.exe\" "
"LogitechQuickCamRibbon "= "\ "C:\\Programmer\\Logitech\\QuickCam\\Quickcam.exe\" /hide "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr "= "\ "C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Steam "= "\ "C:\\Programmer\\Steam\\Steam.exe\" -silent "
"SUPERAntiSpyware "= "C:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 15-02-2008 18:30:51,21
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt


Best regards

Jens

 

Hi jbrej

OK These should go,
C:\Programmer\uTorrent
p2pnetworks
BearShare Applications
thriXXX

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\blhhjtpx.exe


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now lets run a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky log.

Thanks
Geri

 

Kaspersky log

Hi Geri.
I deleted the files you suggested.
Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 12:42:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 569971
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 127233
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 8
Duration of the scan process: 02:01:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DANIEL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DANIEL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak14.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak14.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak19.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak19.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip/kvnab$.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\HP_Ejer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Dokumenter\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Oversigt\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Ejer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe/WISE0044.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe/WISE0044.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe WiseSFXDropper: infected - 3 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DANIEL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT002fc.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT002ff.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Best regards

Jens

 

Hi

OK Looks good.

Now you have to make a dission, see here in the Kaspersky scan.
C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped

imesh is AdWare, can cause pop-ups and or banner ads, IMO it should be removed,
If you want it removed do the following.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

iMesh Applications


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.


Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete this file (if present):

C:\Documents and Settings\HP_Ejer\Skrivebord\dvs ting\ALT\iMeshV7int.exe


Now Open Spybot S/D
Click on the Recovery button
Put a check in all boxes showing and click Purge selected.
Close SpyBot.

Please Delete these.
SDFix.exe

This folder
C:\SDFix

Run ATF cleaner again, then do another Kaspersky scan and post the Log.

Thanks
Geri

 

Kaspersky 2'nd time

Hi Geri.
Done as instructed.
Here is the second Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 11:03:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/02/2008
Kaspersky Anti-Virus database records: 573199
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 126997
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:57:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DANIEL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DANIEL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\HP_Ejer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Dokumenter\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temp\~DF4A38.tmp Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temp\~DF4A58.tmp Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Ejer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Ejer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DANIEL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{30D26D93-6854-4BB7-8492-67A6BC35F719}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT072e1.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT072e4.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


/Jens

 

Hi Jens

OK That looks good.

It seems that at some point you ran smitfraudfix, so we need to delete it and or the files that it uses.

Smitfraudfix.exe < if still on your system

These files.
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg

Empty your recycle bin or run ATF cleaner.


Now, a word to the wise...
It is not a good idea to run any tools we use here on your own !
Different tools are meant for different infections and just running them at random could harm your system.
Case in point, see this thread, post # 3.
http://www.windowsbbs.com/showthread.php?t=71251


This would be a good time to set a new system restore point for your machine.
Set New System Restore Point Windows XP. - Set New System Restore Point Windows Vista
Do not do this unless there are no other user accounts to be diagnosed.

If there are any other user accounts on this machine, they too, must be cleaned with AdAware and Spybot S&D. Not all infections are global, nor are all fixes global.
Log onto that user account, Run HJT and save log, post each user account here into this thread, but please, do only one at a time to avoid confusion. Please let us know that it is a different account.


Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forms.
http://www.windowsbbs.com/showthread.php?t=67958


Let me know that things are OK and I'll mark this one resolved.

Surf Safely.
Geri