Tried Spybots, tds3, Nuker, CWShredder, Spy_ferret, SpywareBlaster, Ad-aware and have all the time been running an upgrated Avast. System is XP fully upgrated and SP2.
It seems like I can remove the stuff with Ad-aware/Nuker, but after the next boot, it is back, and Ad-aware will fix a LOP cookie, a LOP program and some reg. entries. The LOP program appears in Ducuments and Settings/MIA/Lokale Indstillinger/Temporary Internet Files under different names as an .exe ( Lokale Indstillinger is Danish, I don't know why I have this mixture ).
I have tried to diconnect the internet, start in DOS mode and delete the content of those temp and cookie directories, but after next restart back to problems.
After running HijackThis, I have deleted the 2 reg. entries containing Internet Explorer, but they are made after next boot. Another strange thing is, that a couple of instances of C:\Programmer\Internet Explorer\iexplore.exe are running, even though I have uninstalled IE, and there is no such file in that directory, so I believe, that they are files generated form the suspicius program.
Well this is a hard not, and I consider myself as an experienced user.
Regards Jensen
Logfile of HijackThis v1.99.1
Scan saved at 18:32:33, on 15-04-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashserv.exe
C:\Programmer\Bluetooth-software\bin\btwdins.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\Logitech\Video\LogiTray.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\Programmer\Spyware Nuker 2004\swn2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPJETDSC.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Bluetooth-software\BTTray.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Logitech\Video\FxSvr2.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\MIA\Skrivebord\Ny mappe\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cafmiiczo...N3NlLKwATi.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] C:\Programmer\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmer\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmer\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Startgrimsavevga] C:\Documents and Settings\All Users\Application Data\gpldownloadstartgrim\PopMpeg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Spyware Nuker] C:\Programmer\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [mix skip] C:\DOCUME~1\MIA\APPLIC~1\MEDIAM~1\close each.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093535293056
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmer\Bluetooth-software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
Edited by Jensen539, 15 April 2005 - 11:10 AM.