Hello team
I have been having all sorts of problems with my computer. Some of these include:
Trojans in every AVG scan (some items listed included mousepad9.exe. keyboard.exe.,among others, does mean they have or are trying to gain control of my mouse and keyboard?)They just keep coming back after being deleted. There is also a Trojan in System\Volume Information\Restore followed by lots of numbers, it keeps coming back.
My internet connection drops a lot.
I keep getting: Page cannot be displayed
and the only way to fix is to disconnect from the net and restart computer.
At other times, my computer will not do anything I ask it to e.g disconnect internet connection, then 5 minutes later, it will.
A lot of the time it will not respond to any mouse clicks, and sometimes takes a full 5 minutes to respond to Ctrl+Alt+Delete.
If I use the back button on IE browser this usually results in 1. not going back and 2. the start of my troubles for that session.
I have followed the advice of fellow forum poster and done AVG in safe mode + adaware SE scan and now I am tryiing the Hijackthis scan.

Can anyone help me with hijackthis log files
I have no idea what I should keep or delete.
Any help much appreciated.Will post log and analysis when requested.
aussie1

p.s I did not do spybot search as the first dozen trojans had a mention of sdbot so I uninstalled the program after someone telling me that it can attract viruses. This may be a load of rubbish, but I do not know any better
Also I downloaded update from Zonealarm (I use this firewall) and when I tried to install it,it said that that file was not recognised. I deleted update and therefore do not have updated firewall.

Thank you

try posting HJT log at:

http://hijackthis.de/index.php?langselect=english

try also turning off system restore,then restart in safe mode, and scan for spyware and viruses,

Start by removing bad files from the start up manually.

Step 1.)Click the start button on your desktop.

Step 2.)Click RUN in the start menu list.

Step 3.)Type "regedit" in the run box. Dont include the quotes.

Step 4.)When the registry editor comes up open this registry vaule.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 5.)Post all thats in that folder here on the fourms.
Step 6.)With regedit still open (or you can open another one)
Go to these Entrys and check if anything is in them. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

Please post all thats in those registry entrys. DO NOT EDIT ANYTHING YET!! unless you make a backup of those entrys!!

When you post do it like this

contents of:
-------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Blah.exe
whatever.exe
somthing.exe
^^^^ These are just examples of what could be in that entry.

Please post you Hijack This log.

Thank you for your time and willingness to help.
I forgot to mention that occassionally ( definitely not often) when I start up I get a dialogue box come up saying 'C:\Program could not be found'blah blah. I click OK and I then have my normal desk top?????? Don't know if it is relevant but seems odd.
Regedit results:
contents of:
-------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(value not set)

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe.

C:\Progra~1\Grisoft\AVG Fre~1\avgcc.exe/STARTUP

C:\Progra~1\Grisoft\AVG Fre~1\avgemc.exe

C:\WINDOWS\System32\Spool\Drivers\w32x86\2\CAPONN.EXE

C:\WINDOWS\System32\NeroCheck.exe

"C:\Program Files\Cyberlink\PowerDVD\PDVD Serv.exe"

SOUNDMAN.EXE

valuex.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe

contents of:
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

(value not set)

"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

valuex.exe

C:\Program Files\Washer\washer.exe/0

contents of:
-------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

(value not set)

contents of:
------------------

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

(value not set )

contents of:
-------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

(value not set)
-----------------------
END OF REGEDIT ENTRIES
------------------------
This is Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:50:41 PM, on 4/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\2\CAPPSWN.EXE
C:\WINDOWS\System32\CAPRPCSN.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\2\CAPPSWN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.iprimus.com.au
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ssymsne] valuex.exe
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\2\CAPONN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [ssymsne] valuex.exe
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Deb"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ssymsne] valuex.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\RunServices: [ssymsne] valuex.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-800 Statusfönster.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\2\CAPPSWN.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140505657781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140505526640
O17 - HKLM\System\CCS\Services\Tcpip\..\{623160F9-CAE6-434C-8A09-939355EA86FB}: NameServer = 203.134.12.90 203.134.102.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{623160F9-CAE6-434C-8A09-939355EA86FB}: NameServer = 203.134.12.90 203.134.102.90
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Thank you again for your help everyone.
Is it OK to do adaware SE scan in safe mode or just AVG

SpyBot is fine, whoever said it attracts viruses is talking rubbish. Have you a link to a website?

The link sdbot -v- Spybot means nothing because Spybot searches for "bots" (among other things).

It is possible that the "nasty" is stopping you installing Zone Alarm.

DerekW

I'm with Derek, spybot is an outstanding tool.

Download killbox from this link Killbox For later use

Download Ewido Security Suite then set it up this way Ewido Setup Instructions Also for later use

Reboot into safe mode by following the directions at this link How To Boot Into Safe Mode

From safe mode run HT again, close all windows except HT, place a check to the left of the following items and press "fix checked":

O4 - HKLM\..\Run: [ssymsne] valuex.exe

O4 - HKLM\..\RunServices: [ssymsne] valuex.exe

O4 - HKCU\..\RunServices: [ssymsne] valuex.exe

O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe (file missing)

O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

From safe mode Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.

C:\valuex.exe

C:\windows\value.exe

C:\windows\system32\valuex.exe

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.

Run ewido from safe mode.When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop.

Please reboot into normal mode and post the ewido log.

Then run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Hi jabuck,
Again I thank you and fully appreciate that it is your time and knowledge you are giving in order to help, and I thank everyone else involved for your comments and help.I will use point form as it is easier to refer back to comments.
1. Downloaded and installed Killbox
2. Downloaded and installed Ewido and setup
per instructions
3. Rebooted into safe mode following the
directions given in the link
4. Ran HT from safe mode and followed all
instructions to delete the five items
mentioned in your post above. But the
following item was no longer there for
me to delete.
O4 - HKCU\..\RunServices: [ssymsne] valuex.exe
but the other 4 were and I deleted them
5. From safe mode I ran Killbox
I did have a problem with this step as I have mentioned that I am a doofus when it comes to computers. Firstly, I did install it to my desktop, but in safe mode it is not visible, so I had to open windows explorer and look in heaps of folders to find it. Your instructions were to copy and paste each of the following lines one at a time:
C:\valuex.exe

C:\windows\value.exe

C:\windows\system32\valuex.exe

however, doofus mode kicked in and I had no idea where I was supposed to copy and paste from. I could not find it in Killbox and I then thought you meant copy it from your post, but by this time I was off line, in safe mode, and had not saved these entries anywhere. Could you please clarify what you meant for me to do here. Instead I hand typed the 3 entries in, one at a time, and after hitting the red circle with the X I got the following message:
error: file does not seem to exist!
Please inform if you want me to do this procedure again, if what I have done, is incorrect.
6.This might be a good time to tell you that when I went into safe mode via the system configuration utility, I clicked on all of the different tabs just to have a look and familiarize myself with it.When I clicked on the startup tab there was an entry in there:
valuex.exe and it's location was:
HKCU\SOFTWARE\Windows\CurrentVer.....
This may or may not be relevant.
8. Also when searching through all of the folders to find Killbox I saw some folders named Poker Superstars Deluxe Documents and Poker Superstars II Documents.I have never seen these before and went to control panel\add-remove to get rid of them but they are not in there. They also are not on start\all programs menu to uninstall from there. I then telephoned my sister who has been holidaying here last month with her teenage children.They had full and unsupervised access to my computer and now I am being told they have been to a website called lymewire and downloaded music and all sorts of things into my computer. This is probably what has caused all of my problems. They said they scanned everything with AVG before opening and deleted everything when they finished with it.Obviously not, when Poker Superstars is showing up. And I am fairly certain that one or more of the trojans that I have deleted along the way has had the word 'poker' in it somewhere.

Here are the reports:

ewido anti-malware - Scan report

+ Created on: 7:46:05 AM, 4/10/2006
+ Report-Checksum: D908A1FB

+ Scan result:

C:\Documents and Settings\Deb\Cookies\deb@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Deb\Cookies\deb@vitacost.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\drsmartload1.exe -> Downloader.VB.aad : Cleaned with backup
C:\poker.exe -> Downloader.Adload.ai : Cleaned with backup
C:\WINDOWS\system32\r4r60e9seh.dll -> Adware.Look2Me : Cleaned with backup

::Report End

KASPERSKY ON-LINE SCANNER REPORT
Monday, April 10, 2006 11:28:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 10/04/2006
Kaspersky Anti-Virus database records: 187145


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 35228
Number of viruses found 3
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:25:14

Infected Object Name Virus Name Last Action
C:\sk02.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\sk02.exe NSIS: infected - 1 skipped

C:\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped

C:\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped

C:\Veracruz.exe NSIS: infected - 2 skipped

C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

Scan process completed.

9. And last comment, the person that told me spybot was no good also disabled msn messenger in startup. He said that it can be a backdoor for nasties and it is better not to have it on the computer. Again, it may be irrelevant, but his advice on spybot but was wrong so I mention it here.
Thank you again for all of your help
Regards
aussie1

Killbox does that sometimes, just follow through with the process. If it doesn't show up in safe mode try logging in to safe mode as administrator.

Run killbox again in safe mode and delete these items:

C:\sk02.exe

C:\Veracruz.exe

C:\WINDOWS\system32\i

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Now do a manual check for these files/folders from safe mode and delete them if found:

C:\valuex.exe

C:\windows\value.exe

C:\windows\system32\valuex.exe

C:\Veracruz.exe

C:\sk02.exe

C:\WINDOWS\system32\i

Go start>control panel>add/remove programs and uninstall lime wire if found.

Post a new HT log.

Hi jabuck
followed first your instruction:

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Followed your next instruction:

Run killbox again in safe mode and delete these items:

C:\sk02.exe

C:\Veracruz.exe

C:\WINDOWS\system32\i

AND WAS SUCCESSFUL.

Followed your instruction to :
Go start>control panel>add/remove programs and uninstall lime wire if found.

AND WAS SUCCESSFUL.

Your next instruction to:

Now do a manual check for these files/folders from safe mode and delete them if found:

C:\valuex.exe

C:\windows\value.exe

C:\windows\system32\valuex.exe

C:\Veracruz.exe

C:\sk02.exe

WENT SOMETHING LIKE THIS:
I went to Start>Search (in safe mode as administator)and did search for above files.
The first 3 were not found.
The next 2 were found in C:\!KillBox then I deleted them by clicking: File>delete.
The last one:

C:\WINDOWS\system32\i

had 1087 files within it.
I clicked File>delete and an error message came up "cannot read from the source file or disk" I then had 1085 files within. I tried again, it started to delete the files, then stopped with another error message that the file was being used by another program. I then had 1056 files left. I did it again and now have 1053 files. I also received messages that my computer may not work properly if I continue. I have decided to stop here and check in with you that everything is going as it should.

Could you please advise?
Regards
aussie1

P.S I have noticed a definite improvement in the time it takes to move around the net in the last 2 days, but the line has dropped out 4 times whilst trying to confirm this post. I hope I didn't do the wrong thing by repeated trying to delete that last file.

Just had a look in system restore, and my luck, of course it has been turned off. I obviously did it a few days ago and forgot to turn it back on. Could kick myself. Internet connection dropping out every 15 seconds to 2 minutes. Took five connections to post this afterthought. I won't go into full panic mode until you say it's time too.
Thanks again
aussie

Boot back into safe mode:

Run killbox again.

Start Killbox, place a tick next to [x]Delete on reboot. Type following bold file path into the "Full Path Of File To Delete" box :

C:\WINDOWS\system32\i

Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot.

Post a new HT log and a new kaspersky log.

Hi jabuck
Thanks again for persisting with this.
Followed you first instruction to:

Boot back into safe mode:
Run killbox again.

Start Killbox, place a tick next to [x]Delete on reboot. Type following bold file path into the "Full Path Of File To Delete" box :

C:\WINDOWS\system32\i

BUT WAS NOT SUCCESSFUL
Kept getting the following message:
PendingFileRenameOperations Registry Data has
been Removed by External Process!

I did not post HT log or Kaspersky as I didn't think you would want it yet because I can't get past step 1.
What do you advise?
Thank you
Regards
aussie1

Go through the process again, then just reboot manually, wait 30 seconds before restarting the computer. Do not do use "restart" use "turn off" button.

Dear jabuck

went through the process of:

"Boot back into safe mode:
Run killbox again.

Start Killbox, place a tick next to [x]Delete on reboot. Type following bold file path into the "Full Path Of File To Delete" box :

C:\WINDOWS\system32\i "

and ignored error message:
PendingFileRenameOperations Registry Data has
been Removed by External Process!

I then use 'Turn off' to close down computer and restarted a few minutes later in safe mode and did HT scan. Results are:

Logfile of HijackThis v1.99.1
Scan saved at 5:23:45 PM, on 4/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\2\CAPONN.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Deb"
O4 - Global Startup: Canon LBP-800 Statusfönster.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\2\CAPPSWN.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140505657781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140505526640
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Deb\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Then connected to the net and did Kaspersky
scan. Results are as follows:

KASPERSKY ON-LINE SCANNER REPORT
Thursday, April 13, 2006 6:08:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/04/2006
Kaspersky Anti-Virus database records: 187951


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 37825
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:25:01

Infected Object Name Virus Name Last Action
C:\!KillBox\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

C:\!KillBox\sk02.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\!KillBox\sk02.exe NSIS: infected - 1 skipped

Scan process completed.

Again, thank you and I await your instructions.
Regards
aussie1

Looks much better.

Navigate to C:\!KillBox and delete the contents of that folder then empty the recycle bin.

Run HT again and remove these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Go to msconfig and recheck all the items you have unchecked and afterwards post a new HT log to make sure we removed all the baddies.

Please download ATF-Cleaner from this link
http://www.atribune.org/content/view/19/2/ Then run it from safe mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Purge system restore(clean-up). For instructions on how to purge system restore click Here

To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer.

Hello jabuck
Happy Easter!
Performed the following this morning:
Opened KillBox and typed in the infected entries as found in yesterday's Kaspersky scan.The first entry C:\!KillBox\i
and the third entry C:\!KillBox\sk02.exe
deleted OK ( using red circle white cross)
but the second entry
C:\!KillBox\sk02.exe/data0002

produced a message 'file does not seem to exist".

There was nothing in the recycle bin to delete ( in fact I thought this strange as there has been nothing in there for a couple of weeks and I
have deleted old HT logs and Kaspersky scans this morning)

I then ran HT in safe mode and fix checked these items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

I then went to msconfig and rechecked:msmsgs

I then downloaded and ran from safe mode ATF cleaner.
I then purged system restore
then created a new one.

I was just about to copy and paste the latest HT log and when I went to it, it says:
Windows cannot open this file.
to open this file, Windows needs to know which program created it...rah rah rah

so I will closed down and do it again and see what happens.

OK had more luck this time
New HT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:19 AM, on 4/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\2\CAPONN.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Deb"
O4 - Global Startup: Canon LBP-800 Statusfönster.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\2\CAPPSWN.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140505657781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140505526640
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Deb\Desktop\New Folder\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

I have noticed that the speed on the net is much much better than has been previously.
I am still getting 'Page cannot be displayed'
and internet connection still dropping but only occassionally. I think this is a zonealarm settings problem and will do another post and hope that a zonealarm expert may be able to help, because if I shutdown ZA I can continue to surf in some instances. I have also downloaded, but not installed WinSockFix as some research has shown that some spy/malware can take dll's with them when you delete them,and missing dll's can cause the problems I am experiencing. Have no idea what any of it means, but sounds like it might help, but this is a last resort.
Thank you
Regards
aussie1

Your log looks clean but msconfig is still blocking visability of some programs.

I doubt that you have a winsock problem, usually you cannot access the net with a damaged or corrupt winsock.

More that likely the firewall, you might try Sygate.

Some of the files you mentioned in your first post are related to really bad spyware but are not showing up anywhere in the HT log. They were ( mousepad9.exe. keyboard.exe) and this one was pick up(C:\WINDOWS\system32\r4r60e9seh.dll -> Adware.Look2Me : Cleaned with backup) but is not evident in the log.

Please download Atribune's http://www.atribune.org/public-beta/Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt.
If you receive a message from your firewall about this program accessing the internet please allow it.

Hi jabuck
followed your instructions above and here is the Look2Me report:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/14/2006 4:39:16 PM

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3FEC5FFE-30A6-4344-8481-9652C8C9492F}"
HKCR\Clsid\{3FEC5FFE-30A6-4344-8481-9652C8C9492F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0993DD23-9F07-41EC-A3E5-DBE183ECAA8B}"
HKCR\Clsid\{0993DD23-9F07-41EC-A3E5-DBE183ECAA8B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9B95D18C-D02E-498B-BFF4-149BDCD92BAD}"
HKCR\Clsid\{9B95D18C-D02E-498B-BFF4-149BDCD92BAD}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Thank you again
Regards
aussie1

Update
I haven't used my computer much this past week except to check in here get your instructions and follow through with them, plus a little research on my connections dropping out. Today I have spent a lot of time on it.
This is what is happening at the moment:
If I leave the computer for 5-10 minutes, when I come back, I only have the XP screensaver on the desktop. No icons, no start button. I tried left clicking and right clicking but nothing happens. I have to press the reset button on the tower to restart and get everything back.
Also, tried to print a web page. Message came up that I must be an administrator to use the printer (which I am). I created another user account and made them an administrator, but same thing happened. I uninstalled printer software as I had originally installed it in Russian language, and was going to reinstall in English so I could see what was going on with it.
XP couldn't install it and it would not install from CD. Eventually it came up with this message: 'This program only runs on Windows NT 4.0'
Don't know if it is connected to anything we are working on, or may be different issue altogether.
Thank you
Regards
aussie1

I tried to print a web page. Error message

This will search for and kill the files mentioned in your first post.Please download Brute Force Uninstaller
Unzip it to it’s own folder (c:\BFU)

Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner.
In the "Download BFU script..." window, copy and paste the following and then click OK:

http://metallica.geekstogo.com/alcanshorty.bfu

You should see the file alcanshorty.bfu appear in the bfu folder next to BFU.exe.

Reboot into safe mode.

Open the bfu folder and double click BFU.exe.
To select the scriptfile to execute, first double click the folder icon to the left of the globe.
You should now see a window containing alcanshorty.bfu, simply double click it.
Finally, click the Execute button to begin.

When the tool has finished running, you will get a "BFU" window with the message "Completed script execution", click on OK.

Next clean out (purge ) system restore. For instructions on how to purge system restore click Here

To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer.

Run this free online scan from Panda

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Hello jabuck
Thank you again for all of your help.Will try your instructions in last post but have to shut down for a few days as home renovations are being done and there will be plaster and dust flying, so I am going to unplug, cover machine, and put it in a cupboard. Keep in mind that I know nothing about any of this, but the mousepad9.exe and the keyboard.exe. kept showing up in AVG even though I was deleting them or maybe AVG was deleting automatically (I can't remember)and maybe because I had system restore turned off for days it stopped it from coming back. as AVG is still scanning every day and it has not shown up in there either.
Thanks again, and will post back in 3 or 4 days.
Regards
aussie1

Thanks for the follow up, alert me when you get back.

Hi jabuck
I have followed your instuctions in the last post, with the help of some fellow forum users, as I found it a bit tricky.
Here is the log from online Panda scan
Thank you again, whatever you are doing, my computer is flying around the net nowadays, compared to what it used to be like.

Incident Status Location

Adware:adware/deskwizz Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Deb\Cookies\deb@ad.sensismediasmart.com[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Deb\Cookies\deb@ads.pointroll[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Deb\Cookies\deb@as-us.falkag[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Deb\Cookies\deb@c2.gostats[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Deb\Cookies\deb@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Deb\Cookies\deb@statcounter[1].txt
Virus:W32/Sdbot.ftp Disinfected C:\!KillBox\i ( 1)
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\sk02.exe ( 2)
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Deb\Cookies\deb@ad.sensismediasmart.com[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Deb\Cookies\deb@ads.pointroll[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Deb\Cookies\deb@as-us.falkag[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Deb\Cookies\deb@c2.gostats[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Deb\Cookies\deb@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Deb\Cookies\deb@statcounter[1].txt Regards
aussie1

Navigate to and delete the contents of this folder C:\Documents and Settings\Deb\Cookies.

Navigate to and delete these files/folders if found:

C:\Windows\svrrun.exe

C:\Windows\System32\adwerkz.dll

C:\!KillBox (folder)

Thanks again jabuck
could only find:
C:\Documents and Settings\Deb\Cookies.
and deleted the contents of this.
and:
C:\!KillBox (folder)
and deleted the entire folder.
Thank you
Regards
aussie1

Glad we could help.