Malware problem- HJTlog

[microfunk]

I went through the steps and I think it didn't find anything.I will post the HJT log after cleaning (and I think some BHO entries are back even I've fixed them before)
and to the popus, I get them but not as often as before

thanx

Logfile of HijackThis v1.99.1
Scan saved at 3:08:48, on 26.4.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - (no file)
O2 - BHO: (no name) - {356BD8A0-4535-3DE9-3874-3D31B0C1FAEE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C45E74B8-E82E-9CA9-7B90-C39E8B645FBD} - (no file)
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\mouseElf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Převést cíl vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést cíl vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést vybrané vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Převést vybrané vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Převést výběr do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést výběr do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174846229375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 

[microfunk]

and here is the report from SFFix

SmitFraudFix v2.171

Scan done at 3:00:22,04, çt 26.04.2007
Run from C:\Documents and Settings\microfunk\Plocha\SmitfraudFix
OS: Microsoft Windows XP [Verze 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D2B50E25-0DA7-4200-8896-EA371BA45C49}: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3BA207C-8A05-4D35-B16E-EA4DADF5173D}: NameServer=81.27.192.33,81.27.192.97
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D2B50E25-0DA7-4200-8896-EA371BA45C49}: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3BA207C-8A05-4D35-B16E-EA4DADF5173D}: NameServer=81.27.192.33,81.27.192.97
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D2B50E25-0DA7-4200-8896-EA371BA45C49}: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 195.241.77.53 195.241.77.54


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Osiris]

did you run AVG?

 

[microfunk]

I have already run AVG anti spyware 7.5 and AVG Anti Rootkit, NOT the AVG antivirus. But it seems to me that whenever I fix some problem it always comes back.

 

[Osiris]

post a screenshot of the problem it finds

 

[microfunk]

Here is the screenshot. But - first time I ran AVG it found few more things like trojans (not only the tracing cookies) but I forgot to take a screenshot and deleted them all. After restart I ran AVG again and this is what it found (although the same cookies were deleted before).

 

[Osiris]

well so far those are nothing to worry about, unless you can show me a trojan

 

[microfunk]

WOW I have just run a scan with Registry Booster (found it while Iwas browsing for npdocbox.dll information) and it came up with 1069 problems most of them with ActiveX, OLE, Com sections. Shall I use this tool to repair?? I will post a screenshot. Thanx

 

[microfunk]

I have also scaned my computer with SpyEraser and here is the log. Maybe it will help you to determine what to do. Thank you

SpyEraser log

Start Date:April 27, 2007 at 01:28:56AM

End Date:April 27, 2007 at 01:37:34AM

Total Time:8 Mins 38 Secs
Detected Infections

ISTbar
Details: An Adware Program displays ads on users PC, these ads can be in various forms including pop-ups,
pop-unders, banners etc. These programs may track users browsing activities, change browsers homepage settings and may hijack search results.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\searchmiracle.com
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\mt-download.com
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\slotch.com
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\clickspring.net
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\ysbweb.com
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\blazefind.com

DotCom Toolbar
Details: Dotcom Toolbar is a BHO (Browser Helper Object) that also acts as an adware.
It redirects the typed URLs to a predetermined website that will log the user's IP address.
It even changes the settings of the browser. It tracks the user's personal and demographic information
to display advertisements accordingly. It can slow down the system and the user is advised to remove this program.
Status:No Action taken
Browser Plugin-Browser Plugin



Infected registry keys/values detected
hkey_current_user\software\microsoft\internet expl
orer\search\searchassistant explorer\main\default_search_url\
hkey_current_user\software\microsoft\internet expl
orer\search\searchassistant explorer\main\\
hkey_current_user\software\microsoft\internet expl
orer\search\searchassistant explorer\\

CoolWWWSearch
Details: An Adware Program displays ads on users PC, these ads can be in various forms including pop-ups,
pop-unders, banners etc. These programs may track users browsing activities, change browsers homepage settings and may hijack search results.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\coolwwwsearch.com\\

CWS
Details: An Adware Program displays ads on users PC, these ads can be in various forms including pop-ups,
pop-unders, banners etc. These programs may track users browsing activities, change browsers homepage settings and may hijack search results.
Status:No Action taken
Adware-Adware



Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\zonemap\domains\xxxtoolbar.com

IEPlugin
Details: IEPlugin is an adware that is also a BHO (Browser Helper Object). It monitors the site addresses,
content entered into forms, local filenames browsed, targeted advertisements and displays targeted pop-up
advertisements according to the keywords. It may even launch at system startup and modify the browser settings.
It can result in slowing down of the computer and interrupting the workflow. It is therefore recommended to remove this program from one's system.
Status:No Action taken
Spyware-Spyware



Infected registry keys/values detected
hkey_users\.default\software\microsoft\internet ex
plorer\main\search page\

Better Email Enable Everything
Details: iOpus' field of expertise includes Windows security and internet-based applications.
Our software is developed based on the needs and requirements of users like ourselves, as it always keep an
ear open while it scout for new and fresh ideas to incorporate in its product development.
Status:No Action taken
Key Logger-Key Logger



Infected registry keys/values detected
hkey_local_machine\software\gentee\paths\\
hkey_local_machine\software\gentee\\

Remote Desktop for Mobiles
Details: Remote Desktop for Mobiles is remote control software, which allows attacker to control
the victim's machine over the LAN/Internet using other computer or mobile phone.
If it is installed without true knowledge or consent of the user, it may be misused for data hacking,
installing unwanted and harmful applications, controlling victim's computer remotely over LAN/Internet
and causing system failures, frequent shut downs, and any illegal activity. It may pass on the user's activity
details on the computer and browsing habits over the Internet which can be used by other spammers and hackers
to target victim's system. If this software is not installed with user consent, it should be immediately removed from the system.
Status:No Action taken
Remote Control Software-Remote Control Software



Infected files detected
c:\windows\prefetch\find.exe-0ec32f1e.pf

Surf Spy
Details: Surf Spy is a commercial keylogger program. Once installed by the attacker, it starts up and runs in stealth mode;
there is no possible way for the user to know that the program is running in the background logging all the keystrokes,
as it does not show up in the task manager or any other place. It logs every keystroke typed on the infected system, online chats,
passwords, username's, credit card information etc, captures links of every website visited; encrypts these logs and sends them to the attacker.
It is a high security risk as it not only lowers the system security settings but also may install other malware programs without user's knowledge
and consent.
Status:No Action taken
Monitoring Software-Monitoring Software



Infected directories detected
c:\documents and settings\microfunk\windows\system

TrojanDropper.Win32.Juntador.c
Details: Malware programs are softwares with harmful fuctionality. They may be installed on the system without user's consent
and can negatively impact the system's performance and stability. Depending on the type and functionality, malware programs are set to damage the system.
Status:No Action taken
Malware-Malware



Infected directories detected
c:\windows\test

 

[microfunk]

Another log from Worldwide - CA scan, I'm sorry it might be too much information but I am really worried. Thanx

CA scan log

Vaxkat Trojan
Trojan "Vaxkat" found in:
Key "hkey_classes_root \adfghost.cli"
More Info
TrojanClicker.Win32.Small.ab Trojan
Trojan "TrojanClicker.Win32.Small.ab" found in:
Key "hkey_current_user \software\microsoft\windows\currentversion\wintrust\trust provider\software publishing\trust database\0" value "goicfboogidikkejccmclpieicilpokg ejemdn"
Key "hkey_current_user \software\microsoft\windows\currentversion\wintrust\trust provider\software publishing\trust database\0" value "ppcimdnnnjbeahepfabjipfginloedkg egckak"
Key "hkey_current_user \software\microsoft\windows\currentversion\wintrust\trust provider\software publishing\trust database\0" value "goicfboogidikkejccmclpieicilpokg bihgbp"
More Info
Estalive Adware
Adware "Estalive" found in:
Key "hkey_local_machine \software\microsoft\internet explorer\activex compatibility\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}"
More Info
Grokster P2P
P2P "Grokster" found in:
Key "hkey_classes_root \magnet"
More Info
KaZaA P2P
P2P "KaZaA" found in:
Key "hkey_local_machine \software\magnet"
More Info
BrowserAid.RunDLL16 Browser Helper Object
Browser Helper Object "BrowserAid.RunDLL16" found in:
File "c:\windows\rundll16.exe"