HijackThis Log Question

Hi, can somebody please explain to me how to read my hijackThis Log…I had the trojan-gen/virtumonde/adware-gen virus detected by avast, used a couple of anti-virus programs to clean them out…they do not appear anymore…please advise…thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:49 AM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By DSLExtreme
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {36CB5B49-B304-467A-9EF8-F38E04F3424E} - C:\WINDOWS\system32\khfCvWMe.dll (file missing)
O2 - BHO: (no name) - {4295E4A1-6447-4CE4-8BB7-4C4FBDAE88A0} - C:\WINDOWS\system32\nnnoPFXP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221189996016&h=f62885de7a4eb4c0d842b9e8d8989b8e/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


End of file - 6340 bytes


Hi
I’ll take a peek at it but do not FIX anything unless I tell you
First- what AV’s and what were the exact detections
there are so many variations on the maladies you mentioned that detailed help is impossible

We didn't detect any active process of a firewall on your system. Reasons maybe:

(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

so What firewall? and the one that comes with windows does not count
I see that you are up to date with sp3-- better than most who come in here with problems nice work

Tuesday was patch day
did you run “secunia software inspector” and make sure everything is up to date?

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

any sites would have you nuke these with HJT I’d like to try and remove them with some anti malware/ antispyware scans as that will get the rest of the files. registry entries and other assorted garbage
If the Anti malware scans do not get them then we can nuke em

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
google the CLSID and see what it is(so we can see if there might be other files or registry enteries

O2 - BHO: (no name) - {36CB5B49-B304-467A-9EF8-F38E04F3424E} - C:\WINDOWS\system32\khfCvWMe.dll (file missing)

O2 - BHO: (no name) - {4295E4A1-6447-4CE4-8BB7-4C4FBDAE88A0} - C:\WINDOWS\system32\nnnoPFXP.dll (file missing)

google the CLSIDs and see what they are(so we can see if there might be other files or registry entries)

here is a copy of Tech’s standard procedure which works very well if followed completely

I’m a little Dyslexic so I am going to spread it out a little and add a few comments

  1. Disable System Restore and then reenable it again.

  2. Clean your temporary files. Use ATF cleaner or Ccleaner- but post up any relevant AV logs first

  3. Schedule a boot time scanning with avast with archive scanning turned on.
    rt click on the ball and update>programs
    then open avast and schedule boot time scan- reboot and send any hits to chest, do not remove/delete
    did you quarantine or send to chest previos AV scans? what was there (ignore cookies)

If avast does not detect it, you can try DrWeb CureIT! instead.
http://www.freedrweb.com/cureit/
(not a bad idea for a second opinion anyway but you said you had already run some other scans)

  1. Use SUPERantispyware,
    http://www.superantispyware.com/
    update quarantine post logs

MBAM
http://malwarebytes.org/mbam.php
put a check mark next to any baddies and the click REMOVE CHECKED- a backup will be made

  1. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

  2. Make a NEW HijackThis log after the above scans to post here

  3. Immunize your system with SpywareBlaster or Windows Advanced Care.

  4. Check if you have insecure applications with Secunia Software Inspector.
    http://secunia.com/software_inspector/

Let’s see if we can make those three 02’s go away, see if they have any un-found friends,

see ya a little later
take your time, any questions post back
measure twice cut once

:slight_smile: Hi :

Your Log indicates you have the obsolete “Ewido” program; would recommend
you uninstall it from your “Add or Remove Programs” Section of your
computer . Also Ad-Aware from Lavasoft is no longer a top antiSPYWARE/
antiTROJAN program; would be wise to uninstall it and use the programs
mentioned by “wyrmrider” in her #4 .

Hi
if you did run an ad-aware scan and it found anything besides cookies could you post the log
we have to know what we are dealing with

does EWIDO still update??? try it please- I’d like to know
if it does it’s a fine scanner, especially if you paid for it (we have replaced using it by MBAM)
however support is going away and it’s not readily available by itself (AS AVG ANTI MALWARE) anymore
again- if you ran it and it found anything please post the log

I would not of thought of these two when you mentioned Anti Virus Apps :slight_smile:

and yes we will most likely replace EWIDO and AD-Aware with later model apps
Let’s get the malware removed

Hi, many thanks to the both of you for the quick reply’s. I am at work right now so I am unable to provide you with the necessary data that you requested.

I can answer a few questions though to start off:

My windows firewall was zonealarm but recently got rid of it and went with the regular windows firewall (you had mentioned that this is a no no??)

The things I have ran so far that I can remember were:

Super Anti-spyware - Didn’t detect much
Malware Bytes - which caught most of it since I ran this first
Rouge something- which didn’t catch anything
ad-aware - which was one of the last ones I ran
edwido - didn’t catch anything
spybot search and destroy - didn’t catch much

I think I kept the log from malware so I will post that…went through that and deleted some files that I knew were fishy and that I could get to.

I kept rebooting the pc to see if things would arise but avast didn’t catch anything…so then I ran hijackthis and it appears I still have a few things out there…I will run the suggested programs when I get home…and thanks again all

The Vista firewall has outbound protection disabled by default, when enabled it is rules based and you have to create the rules not particularly easy.

Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0.

One thing about the hjt that is not a virus, some falsely identify it as Agrobot.NL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

is a legitimate entry, not malware.

You have an older, therefore vulnerable, version of Java.

 *Download the latest version of Java Runtime Environment (JRE) here: http://javadl.sun.com /webapps/download/AutoDL?BundleId=23110
* Click the "Download" button to the right.
* Check the box that says: "Accept License Agreement".
* The page will refresh.
* Click on the link to download Windows Online Installation with or without Multi-language and save to your desktop.
* Close any programs you may have running - especially your web browser.
* Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
* Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
* Click the Remove or Change/Remove button.
* Repeat as many times as necessary to remove each Java versions.
* Reboot your computer once all Java components are removed.
* Then from your desktop double-click to install the newest version.

polonus

If you googled the first 02 it is Yahoo Companion BHO
try and remove with add remove programs
or if you have spybot you can use one of the spybot tools
or start>programs> find the uninstaller
If you have already installed then FIX with HJT
If you do not know how to fix with hjt post back
essentially put a check mark next to those items to be removed
but the important part is to close all browser windows including this one
I shut down all programs

second and third 02 's look malicious
if you have run all the scanners you mentioned I would have thought they would be gone

lets run SDFIX
http://www.bleepingcomputer.com/forums/topic131299.html
post the log

try and do the updated avast boot time scan first, or Dr Web
in other words after any other scanners
then run a new hjt
if those items are there FIX them
post a new log
let me know if they were already gone or if you had to FIX them with HJT

cheers

when you update java uninstall all old versions
then run
javara
old versions are vulnerable
thanks polonus

firewall necessary thanks DavidR

Hi just ran SDFIX and here is the log…


SDFix: Version 1.224
Run by Administrator on Sat 09/13/2008 at 09:28 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Folder C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys#w*w.redtube.com - Removed

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-13 09:34:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”

Remaining Files :


What do you think?..

Will run another Hijackthis log after I update my java…

Here is my latest hijackthis log…


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:12 AM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By DSLExtreme
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221189996016&h=f62885de7a4eb4c0d842b9e8d8989b8e/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


End of file - 5805 bytes

Before we FIX anything with HJT let’s recap
No Rootkit found with SD-FIX really goo
Verify that you ran the boot time avast scan and no rootkit found
look in avast chest and let me know of any RECENT entries (ignore the system backup files)
WE still do not know what MBAM, SAS and Spybot found (ignore cookies)
makes it hard to tell where to look next
Did you quarantine (or with MBAM actually REMOVE the hits) or does the log say “no action taken” or “ignored”
double check- people mess up on this all the time and I do not want to guess at your experience level
answer the question about EWIDO in previous post and review other questions

given that it’s your computer and you are satisfied with the above

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch

try and remove with add remove programs or Start>Programs >uninstall
then if still there with next HJT fix it

Where did th O2-s go they did not go away by themselves
did you remove them
Or
did a program get them
if so which one?