A major problem....

[Ba_Ba]

My firend's computer is filled with spyware/viruses....I tried clean it by following the steps in the sticky but the computer would no let me ran any of the online scans nor the ad-ware scans. When I do the online scans, the broswer just freezes or close itself. I tried the ad-adware SE, but the scan just stopped working midway through. The computer is going really slow with the CPU usage hovering around 100% .....and thanks a lot in advance...

Here is the specs of the system:
1.6 Ghz and 256 Ram with Windows XP

and here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:04:47 PM, on 7/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\DOCUME~1\Zoran\LOCALS~1\Temp\bwgo00014512.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Zoran\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {1FC59799-1D51-24FD-C0D4-059DF25A1E6E} - stuffmon.dll (file missing)
F3 - REG:win.ini: load=?????? ??????O???O?¡? ?????
F3 - REG:win.ini: run=?????? ??????O???O?¡? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {20E07F5C-A792-49EB-9337-97237DADCB23} - C:\WINDOWS\System32\sfcman32.dll (file missing)
O2 - BHO: Name - {949848E7-274E-4D67-A756-3698C69009D3} - C:\WINDOWS\System32\mszwf.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Software] C:\WINDOWS\System32\Software\software.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [LOPTCON] corrida.exe
O4 - HKLM\..\Run: [KeywordFinder] progmen.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [dialer423] slamm.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [34763] bingo9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



And Thanks a Lot guys....

 

[Ba_Ba]

here is the 2nd part of the hijack this log......thank yu...

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{230137DD-CE92-4C89-8D96-6EDE74C61DBD}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B857FEF-4825-4AF9-80ED-87865BFD305C}: NameServer = 69.50.184.85,195.225.176.31
O18 - Protocol: bw+0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

 

[Ba_Ba]

and here is the more of the it.....

O18 - Protocol: bw30 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

 

[Ba_Ba]

and the last of it...

O18 - Protocol: bwz0 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {FAAB1857-EC73-42C7-B186-C5E3D9CFB814} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: System - {F544BB61-6110-4921-AAD8-805C24485E0E} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

[Buzz1927]

Try to run Kaspersky in safemode, then post back.

 

[Ba_Ba]

I already tried that, it took over an hour and found 1 trojan virus and it delete it.....but the problem seem to be in a "temp" file.....everytime I try to do anything with the file......the computer just freeze....

P.S- and there is a lot of porno pop-ups.....

 

[Buzz1927]

See if you can download Ewido. Update it, then boot into safemode and run it. Post back with how you get on.

 

[Ba_Ba]

is there anything wrong with the hijackthis log....it looks so long.....is that normal???...

 

[Byteman]

Edit: definately not normal...
After Buzz's scan, do the following as well:

Download and run:
cwshredder
HSRemove
About:Buster

Have HJT remove all the 018 entries and then post a fresh log, and we'll see where you stand...

 

[Ba_Ba]

okay here is my new HJT log......i cannt ran any scans at all, not even in safemode.......b/c a "temp" file is blocking all the scans.....

 

[Ba_Ba]

Logfile of HijackThis v1.99.1
Scan saved at 6:20:39 AM, on 7/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CA\eTrust
PestPatrol\PPActiveDetection.exe
C:\Program Files\MusicMatch\MusicMatch
Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch
Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money
Express.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\DOCUME~1\Zoran\LOCALS~1\Temp\bwgo0001f018.exe
C:\Documents and Settings\Zoran\Local
Settings\Temp\Temporary Directory 4 for
hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Zoran\Local
Settings\Temp\Temporary Directory 5 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer,(Default) =
http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\sfcman32.dll/sp.html
(obfuscated)
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) -
{1FC59799-1D51-24FD-C0D4-059DF25A1E6E} - stuffmon.dll
(file missing)
F3 - REG:win.ini: load=?????? ??????O???O?¡?
?????
F3 - REG:win.ini: run=?????? ??????O???O?¡?
?????
F2 - REG:system.ini:
UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) -
{20E07F5C-A792-49EB-9337-97237DADCB23} -
C:\WINDOWS\System32\sfcman32.dll (file missing)
O2 - BHO: Name -
{949848E7-274E-4D67-A756-3698C69009D3} -
C:\WINDOWS\System32\mszwf.dll (file missing)
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll (file missing)
O2 - BHO: (no name) -
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: (no name) -
{06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Software]
C:\WINDOWS\System32\Software\software.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program
Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program
Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert]
C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [AHQInit] C:\Program
Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LOPTCON] corrida.exe
O4 - HKLM\..\Run: [KeywordFinder] progmen.exe
O4 - HKLM\..\Run: [VetTray]
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\support.com\bin\tgcmd.exe" /server /startmonitor
/deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration
Utility] iau.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Internet Connection Wizard]
stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
/auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program
Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Internet Acceleration
Utility] iau.exe
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program
Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [dialer423] slamm.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [34763] bingo9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program
Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [LDM] C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Camio Viewer 2000.lnk =
C:\Program Files\Sierra Imaging\Image Expert
2000\IXApplet.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program
Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: Logitech Desktop Messenger
Agent.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search -
res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page
- res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Start spyware remover -
{BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program
Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover -
{BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program
Files\WareOut\WareOut.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab -
http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[Ba_Ba]

more...

O17 -
HKLM\System\CCS\Services\Tcpip\..\{230137DD-CE92-4C89-8D96-6EDE74C61DBD}:
NameServer = 69.50.184.85,195.225.176.31
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4B857FEF-4825-4AF9-80ED-87865BFD305C}:
NameServer = 69.50.184.85,195.225.176.31
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service
(ImapiService) - Roxio Inc. -
C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown
owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) -
Computer Associates International, Inc. -
C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -
Zone Labs Inc. -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


and thanks for all the help...

 

[Buzz1927]

Hi Ba Ba. Byteman hasn't been round today so I'll get things looking a bit better. Move Hijackthis to a permanent folder e.g C:Hijackthis. It looks like you're running selective startup through msconfig. We need to see everything you got running. Select normal startup in msconfig before your next Hijackthis log, but we'll clean a few things up before that. Download these programs.
CCleaner.
Ewido.
CWShredder.
AboutBuster.
Unzip all of them to the desktop, update Ewido, then boot into safemode.
If you can't do any of these, enable viewing of hidden files and protected operating systems, run CCleaner and try again.
Run CWShredder.
Then run Aboutbuster 3 times.
Then Ewido, clean all it finds.
Then run Hijackthis, and check these lines.

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html(obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {1FC59799-1D51-24FD-C0D4-059DF25A1E6E} - stuffmon.dll(file missing)
O2 - BHO: (no name) - {20E07F5C-A792-49EB-9337-97237DADCB23} - C:\WINDOWS\System32\sfcman32.dll (file missing)
O2 - BHO: Name - {949848E7-274E-4D67-A756-3698C69009D3} - C:\WINDOWS\System32\mszwf.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
Close all windows apart from Hijackthis and hit "Fix Checked".
Finally, run CCleaner (under Internet Explorer and Firefox, uncheck "cookies").
Reboot to normal mode and post a new Hijackthis log.

 

[Ba_Ba]

last HJT...

here is the lastest HJT log, does it look normal?
And thanks for all the help guys...

Logfile of HijackThis v1.99.1
Scan saved at 4:59:14 PM, on 7/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Zoran\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LOPTCON] corrida.exe
O4 - HKLM\..\Run: [KeywordFinder] progmen.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{230137DD-CE92-4C89-8D96-6EDE74C61DBD}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B857FEF-4825-4AF9-80ED-87865BFD305C}: NameServer = 69.50.184.85,195.225.176.31
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

[Buzz1927]

here is the lastest HJT log, does it look normal?

Yes, it looks normal, but still not right, but a lot better than the last one.
Boot into safe mode. Run CWShredder. Then AboutBuster 3 times.
Run Hijackthis, hit "Do a system scan only". Check these lines.

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [LOPTCON] corrida.exe
O4 - HKLM\..\Run: [KeywordFinder] progmen.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{230137DD-CE92-4C89-8D96-6EDE74C61DBD}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B857FEF-4825-4AF9-80ED-87865BFD305C}: NameServer = 69.50.184.85,195.225.176.31
Close all windows and browsers, and hit "Fix Checked"

Search for and delete these files (you might need to view hidden files and protected operating system files)
corrida.exe
progmen.exe
mservice.exe
Reboot to normal mode and post a new log.

Edit : you got msconfig in the log. Set it to startup normally and reboot before posting the new log.
And let us know if things are any better.

 

[Ba_Ba]

sorry, it took so long. Here is the newest log with everything enabled in msconfig....

Logfile of HijackThis v1.99.1
Scan saved at 1:06:38 PM, on 7/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Zoran\LOCALS~1\Temp\bwgo0001afb3.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\autodown.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Zoran\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=?????? ??????O???O?¡? ?????
F3 - REG:win.ini: run=?????? ??????O???O?¡? ?????
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [34763] bingo9.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

[Buzz1927]

Hi Ba Ba.
Move Hijackthis to it's own folder, we'll be clearing the temp folder later. Go to Add\Remove programs and uninstall eAcceleration Stop-Sign (or something similar). This is a rogue spyware product.
Boot into safemode. Make sure you can see hidden files and protected operating system files. Run CCleaner. Run Hijackthis and check these entries.
F3 - REG:win.ini: load=?????? ??????O???O?¡? ?????
F3 - REG:win.ini: run=?????? ??????O???O?¡? ?????
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [iesetupdll] progmen.exe
O4 - HKCU\..\Run: [34763] bingo9.exe
Close all windows and hit "Fix Checked".

Find and delete this folder

C:\Program Files\WareOut
And this file
C:\WINDOWS\System32\hgqhp.exe
Search for and delete these files, if found (do an advanced search)

mservice.exe
progmen.exe
bingo9.exe

Run CCleaner again. Reboot to normal mode and post a new Hijackthis log.