My Anti Spyware

[valmon]

hey, i had this problem yesterday .. and followed your guide
http://www.myantispyware.com/2007/11/18 ... hijackers/

vundofix found about 5 dlls and one dat. deleted all dll's but had problem to delete the dat, even after reboot. So i checked ComboFix but no avail - i got a message "this copy of combofix has expired. / please download an updated copy" and ComboFix deleted itself right away.

Next Step - using Hijack This i found out where the infected DAT file and looked on their info. As they told me, i succesfully used KillBox to delete the file after reboot.

After reboot i scanned with VundoFix, and it found no problem. The problems with Explorer.exe somehow disappeared. But I fear it will return.
It happened before.

this is my current Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:21, on 19.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\arjvwscc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Koscikova\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)
O2 - BHO: {5e65d9c4-4197-5a4a-6544-63e3f87aaa15} - {51aaa78f-3e36-4456-a4a5-79144c9d56e5} - C:\WINDOWS\system32\qhktmpix.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9E4E77C0-B6DB-4E09-A95C-F6DC35D6631F} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [8c941005] rundll32.exe "C:\WINDOWS\system32\orgseoxf.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanTemp 1.5.lnk = C:\Program Files\CleanTemp 1.5\CleanTemp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Liatro SWF Decoder Catch - C:\Program Files\Liatro\Liatro SWF Decoder\swfcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C5BD6843-0C13-11D2-804C-00A0243795C8} (InfosSearch Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95EFDFD-CEB6-4F9D-AFE0-7E354C586026}: NameServer = 85.237.0.65 85.237.1.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C173C.dat
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\arjvwscc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8471 bytes

What should i do next?

[valmon]

huh, upon a further review of the log i posted, i see that "C:\WINDOWS\system32\__c00C173C.dat" is back again. I dont like the R3, O2, O3 neither. There are some weird things later on also. What to do?

[patrik]

Hello valmon. Welcome to the Myantispyware forum!

ok, just checked combofix, and yes got message as you.
You can make next, change you system date to curentdate - 7 days, for example, and run combofix again.

ok, try HijackThis for fix your problems.
Download Avenger and unzip to your desktop.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Run HijackThis and click “Do a system scan only.â€

[valmon]

i gave a second shot to ad-aware .. after three scans it quaranteed and deleted all it found (trojan32.downloader.zlob and one more spyware). Everything seemes to work normally, however I still dont like the HJT log .. this is the new one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:00:11, on 19.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Koscikova\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)
O2 - BHO: {5e65d9c4-4197-5a4a-6544-63e3f87aaa15} - {51aaa78f-3e36-4456-a4a5-79144c9d56e5} - C:\WINDOWS\system32\qhktmpix.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9E4E77C0-B6DB-4E09-A95C-F6DC35D6631F} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [8c941005] rundll32.exe "C:\WINDOWS\system32\orgseoxf.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanTemp 1.5.lnk = C:\Program Files\CleanTemp 1.5\CleanTemp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Liatro SWF Decoder Catch - C:\Program Files\Liatro\Liatro SWF Decoder\swfcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C5BD6843-0C13-11D2-804C-00A0243795C8} (InfosSearch Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95EFDFD-CEB6-4F9D-AFE0-7E354C586026}: NameServer = 85.237.0.65 85.237.1.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C173C.dat
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8297 bytes

Please help. I will be here at this comp on friday and my parents need it until then. I hope they wont mess up anything. Thanks for your help in advance. Ciao

[valmon]

sorry .. didnt see your message. i will try this immediately

[patrik]

yes, try it.
I skip one entry, also pls do :

Run HijackThis again and click “Do a system scan only.â€

[valmon]

ok .. i assume i am still in step 1. I set the clock 14 days back and voalla - Combofix worked. Here's the logfile:

ComboFix 07-11-08.1 - Koscikova 2007-11-05 15:15:03.1 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.94 [GMT 1:00]
Running from: C:\Documents and Settings\Koscikova\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Koscikova\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Koscikova\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-19 11:43 <DIR> d-------- C:\VundoFix Backups
2007-11-19 09:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 23:59 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-18 23:17 <DIR> d-------- C:\Program Files\CCleaner
2007-11-18 22:58 85,056 --a------ C:\WINDOWS\system32\orgseoxf.dll
2007-11-18 19:13 <DIR> d-------- C:\Program Files\ffdshow
2007-11-18 19:13 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-18 19:13 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-17 16:55 <DIR> d-------- C:\Program Files\SBRunMan
2007-11-17 16:28 <DIR> d-------- C:\Program Files\Symantec
2007-11-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 16:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-17 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-17 12:49 <DIR> d-------- C:\Program Files\Oornmlzl
2007-11-17 12:48 <DIR> d-------- C:\Program Files\donsvqnc
2007-11-17 12:48 36,352 --a------ C:\WINDOWS\system32\pmnolij.dll
2007-11-14 10:45 <DIR> d-------- C:\Program Files\BT
2007-11-11 10:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-29 12:13 <DIR> d-------- C:\movie
2007-10-27 17:43 <DIR> d-------- C:\WINDOWS\Adobe Illustrator CS
2007-10-21 18:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-20 16:29 <DIR> d-------- C:\Program Files\Liatro
2007-10-20 16:13 <DIR> d-------- C:\Program Files\HooTech
2007-10-19 15:11 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia Multimedia Player
2007-10-19 15:00 <DIR> d-------- C:\Documents and Settings\Koscikova\Phone Browser
2007-10-19 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-19 14:45 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 14:44 <DIR> d-------- C:\Program Files\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\DIFX
2007-10-19 14:44 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\PC Suite
2007-10-19 14:44 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-19 14:44 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-19 14:44 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-10-19 14:44 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-19 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-10-14 21:22 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 13:48 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\dvdcss
2007-11-18 22:18 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Azureus
2007-11-18 14:03 --------- d-----w C:\Program Files\CloneDVD
2007-11-18 13:59 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Skype
2007-11-18 12:22 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 22:25 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\uTorrent
2007-10-15 06:38 --------- d-----w C:\Program Files\Trader's Little Helper
2007-10-14 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-13 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 14:26 --------- d-----w C:\Program Files\Azureus
2007-10-13 11:27 --------- d-----w C:\Program Files\Java
2007-09-17 13:31 --------- d-----w C:\Program Files\SopCast
2007-09-17 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-17 13:30 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-09-17 13:27 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-09-17 13:25 --------- d-----w C:\Program Files\Exact Audio Copy
2007-09-17 13:25 --------- d-----w C:\Program Files\Avi2Dvd
2007-09-17 13:24 --------- d-----w C:\Program Files\Audible
2007-09-17 13:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-15 17:11 836 ----a-w C:\Documents and Settings\Koscikova\Application Data\ViewerApp.dat
2007-04-09 15:11 16 ----a-w C:\Documents and Settings\Koscikova\ppfV71.dll
2007-03-20 19:41 16 ----a-w C:\Documents and Settings\Koscikova\pnoB01.dll
2007-01-28 23:04 16 ----a-w C:\Documents and Settings\Koscikova\ppfV41.dll
2006-05-03 09:06:54 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51aaa78f-3e36-4456-a4a5-79144c9d56e5}]
C:\WINDOWS\system32\qhktmpix.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E4E77C0-B6DB-4E09-A95C-F6DC35D6631F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 02:51 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-07-03 08:55]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 C:\WINDOWS\system32\nwtray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-10-11 15:38]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-05-16 02:00]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 00:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]
"8c941005"="C:\WINDOWS\system32\orgseoxf.dll" [2007-11-18 22:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
CleanTemp 1.5.lnk - C:\Program Files\CleanTemp 1.5\CleanTemp.exe [2005-04-27 19:39:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys
R3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;C:\ORACLE\ORA90\BIN\ONRSD.EXE
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c80e05e-9662-11db-9453-001676494476}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-01-02 13:16:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 15:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 15:21:58 - machine was rebooted
.
--- E O F ---

[valmon]

here is new hijack this logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:14, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Koscikova\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)
O2 - BHO: {5e65d9c4-4197-5a4a-6544-63e3f87aaa15} - {51aaa78f-3e36-4456-a4a5-79144c9d56e5} - C:\WINDOWS\system32\qhktmpix.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9E4E77C0-B6DB-4E09-A95C-F6DC35D6631F} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [8c941005] rundll32.exe "C:\WINDOWS\system32\orgseoxf.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanTemp 1.5.lnk = C:\Program Files\CleanTemp 1.5\CleanTemp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Liatro SWF Decoder Catch - C:\Program Files\Liatro\Liatro SWF Decoder\swfcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C5BD6843-0C13-11D2-804C-00A0243795C8} (InfosSearch Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95EFDFD-CEB6-4F9D-AFE0-7E354C586026}: NameServer = 85.237.0.65 85.237.1.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8357 bytes


I dont know how to start the computer in the safe mode now. Because when I hit the F8 at the reboot, i get the Boot screen instead.
Any ideas?

I downloaded Avenger and i cannot wait for further instructions.

[valmon]

plus, can i check the clock back to the Nov 19? Its confusing

[patrik]

ok, Open notepad and copy/paste the text in the quotebox below into it:

[quote]File::
C:\WINDOWS\system32\qhktmpix.dll
C:\WINDOWS\system32\winrkp32.dll
C:\WINDOWS\system32\orgseoxf.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51aaa78f-3e36-4456-a4a5-79144c9d56e5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E4E77C0-B6DB-4E09-A95C-F6DC35D6631F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c941005"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packagesâ€

[valmon]

here you are

ComboFix 07-11-08.1 - Koscikova 2007-11-08 15:52:19.2 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.101 [GMT 1:00]
Running from: C:\Documents and Settings\Koscikova\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Koscikova\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\orgseoxf.dll
C:\WINDOWS\system32\qhktmpix.dll
C:\WINDOWS\system32\winrkp32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\orgseoxf.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-19 11:43 <DIR> d-------- C:\VundoFix Backups
2007-11-19 09:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 23:59 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-18 23:17 <DIR> d-------- C:\Program Files\CCleaner
2007-11-18 19:13 <DIR> d-------- C:\Program Files\ffdshow
2007-11-18 19:13 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-18 19:13 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-17 16:55 <DIR> d-------- C:\Program Files\SBRunMan
2007-11-17 16:28 <DIR> d-------- C:\Program Files\Symantec
2007-11-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 16:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-17 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-17 12:49 <DIR> d-------- C:\Program Files\Oornmlzl
2007-11-17 12:48 <DIR> d-------- C:\Program Files\donsvqnc
2007-11-17 12:48 36,352 --a------ C:\WINDOWS\system32\pmnolij.dll
2007-11-14 10:45 <DIR> d-------- C:\Program Files\BT
2007-11-11 10:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-29 12:13 <DIR> d-------- C:\movie
2007-10-27 17:43 <DIR> d-------- C:\WINDOWS\Adobe Illustrator CS
2007-10-21 18:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-20 16:29 <DIR> d-------- C:\Program Files\Liatro
2007-10-20 16:13 <DIR> d-------- C:\Program Files\HooTech
2007-10-19 15:11 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia Multimedia Player
2007-10-19 15:00 <DIR> d-------- C:\Documents and Settings\Koscikova\Phone Browser
2007-10-19 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-19 14:45 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 14:44 <DIR> d-------- C:\Program Files\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\DIFX
2007-10-19 14:44 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\PC Suite
2007-10-19 14:44 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-19 14:44 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-19 14:44 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-10-19 14:44 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-19 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-10-14 21:22 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 13:48 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\dvdcss
2007-11-18 22:18 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Azureus
2007-11-18 14:03 --------- d-----w C:\Program Files\CloneDVD
2007-11-18 13:59 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Skype
2007-11-18 12:22 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 22:25 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\uTorrent
2007-10-15 06:38 --------- d-----w C:\Program Files\Trader's Little Helper
2007-10-14 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-13 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 14:26 --------- d-----w C:\Program Files\Azureus
2007-10-13 11:27 --------- d-----w C:\Program Files\Java
2007-09-17 13:31 --------- d-----w C:\Program Files\SopCast
2007-09-17 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-17 13:30 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-09-17 13:27 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-09-17 13:25 --------- d-----w C:\Program Files\Exact Audio Copy
2007-09-17 13:25 --------- d-----w C:\Program Files\Avi2Dvd
2007-09-17 13:24 --------- d-----w C:\Program Files\Audible
2007-09-17 13:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-15 17:11 836 ----a-w C:\Documents and Settings\Koscikova\Application Data\ViewerApp.dat
2007-04-09 15:11 16 ----a-w C:\Documents and Settings\Koscikova\ppfV71.dll
2007-03-20 19:41 16 ----a-w C:\Documents and Settings\Koscikova\pnoB01.dll
2007-01-28 23:04 16 ----a-w C:\Documents and Settings\Koscikova\ppfV41.dll
2006-05-03 09:06:54 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 02:51 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-07-03 08:55]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 C:\WINDOWS\system32\nwtray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-10-11 15:38]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-05-16 02:00]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 00:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
CleanTemp 1.5.lnk - C:\Program Files\CleanTemp 1.5\CleanTemp.exe [2005-04-27 19:39:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys
R3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;C:\ORACLE\ORA90\BIN\ONRSD.EXE
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c80e05e-9662-11db-9453-001676494476}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-01-02 13:16:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 15:56:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 15:58:06 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 15:21
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:51, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Koscikova\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanTemp 1.5.lnk = C:\Program Files\CleanTemp 1.5\CleanTemp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Liatro SWF Decoder Catch - C:\Program Files\Liatro\Liatro SWF Decoder\swfcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C5BD6843-0C13-11D2-804C-00A0243795C8} (InfosSearch Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7827 bytes

[patrik]

ok, looks more clean!

make a new CFscript:

[quote][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packagesâ€

[valmon]

no problems with explorer.exe and IE6 today. But I want to be sure that something else, maybe nastier wont appear in a few days, or a week.

new logs:

ComboFix 07-11-08.1 - Koscikova 2007-11-08 16:20:39.3 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.108 [GMT 1:00]
Running from: C:\Documents and Settings\Koscikova\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Koscikova\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-19 11:43 <DIR> d-------- C:\VundoFix Backups
2007-11-19 09:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 23:59 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-18 23:17 <DIR> d-------- C:\Program Files\CCleaner
2007-11-18 19:13 <DIR> d-------- C:\Program Files\ffdshow
2007-11-18 19:13 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-18 19:13 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-17 16:55 <DIR> d-------- C:\Program Files\SBRunMan
2007-11-17 16:28 <DIR> d-------- C:\Program Files\Symantec
2007-11-17 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 16:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-17 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-17 12:49 <DIR> d-------- C:\Program Files\Oornmlzl
2007-11-17 12:48 <DIR> d-------- C:\Program Files\donsvqnc
2007-11-17 12:48 36,352 --a------ C:\WINDOWS\system32\pmnolij.dll
2007-11-14 10:45 <DIR> d-------- C:\Program Files\BT
2007-11-11 10:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-29 12:13 <DIR> d-------- C:\movie
2007-10-27 17:43 <DIR> d-------- C:\WINDOWS\Adobe Illustrator CS
2007-10-21 18:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-20 16:29 <DIR> d-------- C:\Program Files\Liatro
2007-10-20 16:13 <DIR> d-------- C:\Program Files\HooTech
2007-10-19 15:11 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia Multimedia Player
2007-10-19 15:00 <DIR> d-------- C:\Documents and Settings\Koscikova\Phone Browser
2007-10-19 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 14:45 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-19 14:45 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 14:44 <DIR> d-------- C:\Program Files\Nokia
2007-10-19 14:44 <DIR> d-------- C:\Program Files\DIFX
2007-10-19 14:44 <DIR> d-------- C:\Documents and Settings\Koscikova\Application Data\PC Suite
2007-10-19 14:44 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-19 14:44 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-19 14:44 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-19 14:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-10-19 14:44 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-19 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2007-10-14 21:22 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 13:48 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\dvdcss
2007-11-18 22:18 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Azureus
2007-11-18 14:03 --------- d-----w C:\Program Files\CloneDVD
2007-11-18 13:59 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\Skype
2007-11-18 12:22 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 22:25 --------- d-----w C:\Documents and Settings\Koscikova\Application Data\uTorrent
2007-10-15 06:38 --------- d-----w C:\Program Files\Trader's Little Helper
2007-10-14 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-13 18:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 14:26 --------- d-----w C:\Program Files\Azureus
2007-10-13 11:27 --------- d-----w C:\Program Files\Java
2007-09-17 13:31 --------- d-----w C:\Program Files\SopCast
2007-09-17 13:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-17 13:30 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-09-17 13:27 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-09-17 13:25 --------- d-----w C:\Program Files\Exact Audio Copy
2007-09-17 13:25 --------- d-----w C:\Program Files\Avi2Dvd
2007-09-17 13:24 --------- d-----w C:\Program Files\Audible
2007-09-17 13:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-06-15 17:11 836 ----a-w C:\Documents and Settings\Koscikova\Application Data\ViewerApp.dat
2007-04-09 15:11 16 ----a-w C:\Documents and Settings\Koscikova\ppfV71.dll
2007-03-20 19:41 16 ----a-w C:\Documents and Settings\Koscikova\pnoB01.dll
2007-01-28 23:04 16 ----a-w C:\Documents and Settings\Koscikova\ppfV41.dll
2006-05-03 09:06:54 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 02:51 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-07-03 08:55]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 C:\WINDOWS\system32\nwtray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 14:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-10-11 15:38]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11]
"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-05-16 02:00]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 00:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
CleanTemp 1.5.lnk - C:\Program Files\CleanTemp 1.5\CleanTemp.exe [2005-04-27 19:39:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINDOWS\system32\NetWare\nwfilter.sys
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\system32\NetWare\nwdhcp.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\system32\NetWare\srvloc.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\system32\NetWare\NWHOST.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\system32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\system32\NetWare\NWSNS.sys
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\system32\DRIVERS\V0220Dev.sys
R3 V0220Vfx;V0220VFX;C:\WINDOWS\system32\DRIVERS\V0220Vfx.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\system32\cusrvc.exe
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\system32\NetWare\nwsipx32.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\system32\NetWare\NWSAP.sys
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;C:\ORACLE\ORA90\BIN\ONRSD.EXE
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c80e05e-9662-11db-9453-001676494476}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-01-02 13:16:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 16:22:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 16:23:47
C:\ComboFix2.txt ... 2007-11-08 15:58
C:\ComboFix3.txt ... 2007-11-08 15:21
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:28:22, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Koscikova\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanTemp 1.5.lnk = C:\Program Files\CleanTemp 1.5\CleanTemp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Liatro SWF Decoder Catch - C:\Program Files\Liatro\Liatro SWF Decoder\swfcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C5BD6843-0C13-11D2-804C-00A0243795C8} (InfosSearch Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95EFDFD-CEB6-4F9D-AFE0-7E354C586026}: NameServer = 85.237.0.65 85.237.1.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\ORACLE\ORA90\BIN\ONRSD.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7808 bytes

[valmon]

one more thing: what do you think about this one? - O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

I dont see anything like this in IE 6. I also checked the dell's site:
http://support.dell.com/support/topics/ ... ggle=false

and they said to remove it via win add/remove programs
i checked add/remove programs but there was no option like this..

[patrik]

ok, your combofix log is clean!
Also you can remove MyWay Search Assistant.

Run HijackThis again and click “Do a system scan only.â€