Hi

I seem to have gotten a rather persistent virus. I have tried a number of different tools, but not with a positive outcome. This is beginning to get on my nerves, so any help is very welcome.

Symptoms:
Avast keeps giving me security warnings on 3 or 4 different infections every 4 or 5 minutes, even when not browsing. Below are the warnings from the last hour.
Also, the disc cleanup wizard tells me that there’s only 80 MB left on my system drive, when explorer’s status bar tells me that there’s 1800. I have no idea if this is a symptom of an infection.
My IE recently began trying to redirect me when opening. Spyware Doctor prevented this.

Avast Warning log from today.
7/2/2006 11:07:27 1151831247 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{EFF6DBBA-51B0-4F1C-84F1-A3334E1FC021}.exe” file.
02-07-2006 11:16:17 1151831777 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{7EB70D4A-995C-466E-8516-F74F891A39CC}.exe” file.
02-07-2006 11:16:21 1151831781 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{6C81AD27-D192-4976-A8F7-5BA7CF7E34C0}.exe” file.
02-07-2006 11:22:33 1151832153 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{082396FF-9562-45B2-8DDA-7B9BA1EF6307}.exe” file.
02-07-2006 11:22:58 1151832178 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{23351BFD-8C76-40CC-89C7-59785E28C0BB}.exe” file.
02-07-2006 11:23:07 1151832187 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{743DF37F-B4F0-400A-9D06-418AD4DAD394}.exe” file.
02-07-2006 11:29:43 1151832583 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{CCCFE177-51A1-46D0-BA24-FA4315B5A9DD}.exe” file.
02-07-2006 11:36:49 1151833009 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{128F5FCE-69FF-4221-81E2-BF8A19E164AC}.exe” file.
02-07-2006 11:36:55 1151833015 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{74D8E042-8D95-49AF-AF2A-279A934CB0EA}.exe” file.
02-07-2006 11:42:59 1151833379 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{0AF06AE1-B5F1-4EC4-AADA-226D794D581C}.exe” file.
02-07-2006 11:43:05 1151833385 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{3F2B2576-B90E-433E-9360-BA0E0E1ED4F8}.exe” file.
02-07-2006 11:43:10 1151833390 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{7D3AEAEB-33B6-4FE8-84A6-8B698E9F93CE}.exe” file.
02-07-2006 11:49:16 1151833756 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{CCE72BFC-4ABD-48B0-B3F1-4671C0E0F6BC}.exe” file.
02-07-2006 11:49:22 1151833762 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{E2EDFC0A-4AF6-467F-B377-8D11CA30A82A}.exe” file.
02-07-2006 11:49:26 1151833766 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{23D1C13F-69D6-4E93-AA48-61A25CD905E9}.exe” file.
02-07-2006 11:55:38 1151834138 Administrator 1940 Sign of “Win32:Small-EK [Trj]” has been found in “D:\WINDOWS\system32{66131BE3-33E4-4733-8FF8-3019001FEE78}.exe” file.
02-07-2006 11:55:40 1151834140 Administrator 1940 Sign of “Win32:Adan-094 [Adw]” has been found in “D:\WINDOWS\system32{33CF138D-E935-4906-835A-9C416D3287E5}.exe” file.
02-07-2006 11:55:47 1151834147 Administrator 1940 Sign of “Win32:Adan-078 [Adw]” has been found in “D:\WINDOWS\system32{1FDBE687-CE5F-455A-A564-B1277F2C49A5}.exe” file.

Below are earlier excerpts from the Avast warning log with other infections. The date is the latest occurrence. The nmber of occurrences is written in brackets.

29-06-2006 19:09:41 1151600981 Administrator 1840 Sign of “VBS:Malware [Gen]” has been found in “D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7bf78472-5fcb7126.zip\BlackBox.class” file. (7 occurrences)
29-06-2006 19:09:41 1151600981 Administrator 1840 Sign of “VBS:Malware [Gen]” has been found in “D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7bf78472-5fcb7126.zip\VerifierBug.class” file. (7 occurrences)
29-06-2006 19:09:41 1151600981 Administrator 1840 Sign of “VBS:Malware [Gen]” has been found in “D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7bf78472-5fcb7126.zip\Dummy.class” file. (7 occurrences)
29-06-2006 19:09:41 1151600981 Administrator 1840 Sign of “VBS:Malware [Gen]” has been found in “D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7bf78472-5fcb7126.zip\Beyond.class” file. (7 occurrences)
29-06-2006 19:32:55 1151602375 Administrator 1840 Sign of “VBS:Malware [Gen]” has been found in “D:\Documents and Settings\Administrator\Local Settings\Temp_avast4_\unp9399892.tmp” file. (35 occurrences)
6/29/2006 23:44:55 1151617495 Administrator 1676 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\WINDOWS\system32{1EE07006-1399-4D99-9C61-25004B89454B}.exe” file. (1 occurrence)
29-06-2006 23:52:23 1151617943 Administrator 1676 Sign of “Win32:Small-TG [Trj]” has been found in “D:\WINDOWS\system32{B2541EC6-2A9C-45EA-A414-6CA4CE48C770}.exe” file. (1 occurrence)

(continued in next post)

I also tried a search with Spyware Doctor from PCtools. I has given me the most extensive results of a search. Log below.

Infection Name, Location, Risk
Radlight D:\Documents and Settings\Administrator\My Documents\my deliveries\cnet Medium
Radlight D:\Documents and Settings\Administrator\My Documents\my deliveries\cnet\MediaMonkey_Setup.exe Medium
Radlight D:\Documents and Settings\Administrator\My Documents\my deliveries\cnet\tmpcache Medium
Radlight D:\Documents and Settings\Administrator\My Documents\my deliveries\cnet\trillian-v0.74f.exe Medium
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\CHEAPEST VIAGRA ONLINE.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\Cialis at HALF PRICE!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\Fast Way To Loose Your Weight!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\Guaranteed low price at Pills…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\SOMA at Special LOW PRICE.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\Tramadol Special Offer!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Online Pharmacy\Try New VIAGRA! Works Faster and Longer!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Spyware Uninstall High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Easy Detect and Uninstall Spyware…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Free Spyware Scanner…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Search & Destroy Annoying Adware…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Stop PopUps on your PC…url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url High
Trojan.Qhosts D:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url High
Trojan.Downloader.Domcom D:\WINDOWS\Downloaded Program Files\ipreg32.inf Medium
Web–Search D:\WINDOWS\Downloaded Program Files\webdlg32.inf Elevated
Trojan.Downloader.Ruins D:\WINDOWS\system32{1BFB5E27-CEEC-49B3-A5D0-C7A6BFA29820}.exe High
Trojan.Qhosts D:\WINDOWS\system32\filesafer23.exe High
Trojan.Downloader.Zlob.GEN HKCR\Media-Codec.Chl High
Trojan.Downloader.Zlob.GEN HKCR\Media-Codec.Chl## High
Trojan.Downloader.Zlob.GEN HKCR\Media-Codec.Chl\CLSID High
Trojan.Downloader.Zlob.GEN HKCR\Media-Codec.Chl\CLSID## High
KillAndClean HKCU\Software\KillAndClean High
KillAndClean HKCU\Software\KillAndClean## High
KillAndClean HKCU\Software\KillAndClean\FirstRun High
KillAndClean HKCU\Software\KillAndClean\FirstRun## High
KillAndClean HKCU\Software\KillAndClean\Options High
KillAndClean HKCU\Software\KillAndClean\Options## High
KillAndClean HKCU\Software\KillAndClean\Options##AutoScanOnStartup High
KillAndClean HKCU\Software\KillAndClean\Options##EnableMonitor High
KillAndClean HKCU\Software\KillAndClean\Options##StartWithWindows High
KillAndClean HKCU\Software\KillAndClean\Registration High
KillAndClean HKCU\Software\KillAndClean\Registration## High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779} High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}## High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}\iexplore High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}\iexplore## High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}\iexplore##Count High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}\iexplore##Time High
WareOut HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{BF69DF00-2734-477F-8257-27CD04F88779}\iexplore##Type High
KillAndClean HKCU\Software\Microsoft\Windows\CurrentVersion\Run##KillAndClean High
Trojan.PWSteal.Lineage HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothAuthenticationAgent High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls## High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##23plhps High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##32refaselif High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##eno High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##evif High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##gib_ogol High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##llun High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##mgcppp High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##repiwoh High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##ruof High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##swen High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##tesvaf High
Trojan.Downloader.Ruins HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls##xedocne High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{2A931023-018B-4519-B266-3C6979202A7B}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{38F27918-6607-4E4E-ABA3-062CCDF4A614}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{40315872-64B5-452A-AE33-A8D9089EEAB7}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{69AB0824-5B59-4AA7-87AC-17EB0E5C2571}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces{2A931023-018B-4519-B266-3C6979202A7B}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces{2DEF5570-D2D5-4174-9DB4-26FB1AE47E98}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces{38F27918-6607-4E4E-ABA3-062CCDF4A614}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces{40315872-64B5-452A-AE33-A8D9089EEAB7}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces{69AB0824-5B59-4AA7-87AC-17EB0E5C2571}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{2A931023-018B-4519-B266-3C6979202A7B}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{38F27918-6607-4E4E-ABA3-062CCDF4A614}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{40315872-64B5-452A-AE33-A8D9089EEAB7}##NameServer High
Trojan.DNS Changer HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{69AB0824-5B59-4AA7-87AC-17EB0E5C2571}##NameServer High
Trojan.PWSteal.Lineage multiple High
Trojan.PWSteal.Lineage rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent High

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:25:21, on 02-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
D:\Program Files\Avast4\aswUpdSv.exe
D:\Program Files\Avast4\ashServ.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Bluetooth\Bluetooth-software\bin\btwdins.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HHVcdV6Sys\VC6SecS.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Avast4\ashMaiSv.exe
D:\Program Files\Avast4\ashWebSv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft Hardware\Keyboard\type32.exe
D:\Program Files\HHVcdV6Sys\VC6Play.exe
D:\PROGRA~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Adobe\Distillr\Acrotray.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows CE Services\WCESCOMM.EXE
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Bluetooth\Bluetooth-software\BTTray.exe
D:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
D:\PROGRA~1\BLUETO~1\BLUETO~1\BTSTAC~1.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\WINDOWS\notepad.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Internet Explorer\iexplore.exe
E:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {F996C4BF-3B19-024C-BAC4-EE6DD2719D45} - keybdll.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [imekrmig7.0] “D:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE”
O4 - HKLM..\Run: [IMSCMig] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM..\Run: [IMJPMIG9.0] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM..\Run: [IntelliType] “D:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [VC6Player] D:\Program Files\HHVcdV6Sys\VC6Play.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “E:\Program Files\Adobe\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [jopplerg] StartCpl.exe
O4 - HKLM..\Run: [TorontoMail] powerdll.exe
O4 - HKLM..\Run: [jcyak.exe] D:\WINDOWS\system32\jcyak.exe
O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “D:\Program Files\Windows CE Services\WCESCOMM.EXE”
O4 - HKCU..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU..\Run: [FreeMem Pro] “E:\PROGRA~1\FREEME~1\fmempro.exe” autostart
O4 - HKCU..\Run: [KillAndClean] “D:\Program Files\KillAndClean\KillAndClean.exe”
O4 - HKCU..\Run: [iehelper] cmon14.exe
O4 - HKCU..\Run: [___] keybdll.exe
O4 - HKCU..\Run: [jopplerg] keybdll.exe
O4 - Startup: PeriodicWallpaper.lnk = E:\Program Files\Desktop Sinfest\PeriodicWallpaper.exe
O4 - Startup: Shortcut to BTTray.lnk = D:\Program Files\Bluetooth\Bluetooth-software\BTTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - D:\Program Files\Bluetooth\Bluetooth-software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Windows CE Services\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Windows CE Services\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Windows CE Services\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\Bluetooth\Bluetooth-software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\Bluetooth\Bluetooth-software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.e-boks.dk
O15 - Trusted Zone: www.gmail.com
O15 - Trusted Zone: www.zonkers.homeip.net
O15 - Trusted Zone: www.kmd.dk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: www.nrk.no
O15 - Trusted Zone: *.skype.com
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip..{2A931023-018B-4519-B266-3C6979202A7B}: NameServer = 85.255.115.61
O17 - HKLM\System\CCS\Services\Tcpip..{2DEF5570-D2D5-4174-9DB4-26FB1AE47E98}: NameServer = 85.255.115.61
O17 - HKLM\System\CCS\Services\Tcpip..{38F27918-6607-4E4E-ABA3-062CCDF4A614}: NameServer = 85.255.115.61
O17 - HKLM\System\CCS\Services\Tcpip..{40315872-64B5-452A-AE33-A8D9089EEAB7}: NameServer = 85.255.115.61
O17 - HKLM\System\CCS\Services\Tcpip..{69AB0824-5B59-4AA7-87AC-17EB0E5C2571}: NameServer = 85.255.115.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip..{2A931023-018B-4519-B266-3C6979202A7B}: NameServer = 85.255.115.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.146
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - D:\WINDOWS\system32\btxppanel.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\Bluetooth\Bluetooth-software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Virtual CD v6 Management Service (VC6SecS) - H+H Software GmbH - D:\Program Files\HHVcdV6Sys\VC6SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Spybot S&D came up with a single entry:
Pipas.a HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ruins

I tried:

• Of course: cleaning it with Avast, didn’t help
• reset of internet temp files and cookies
• deletion of temp files using disc cleanup
• Avast full scan
• avast boot-time scan
• Trendmicro housecall scan (windows in safe mode)
• Adaware scan (windows in safe mode)
• EWIDO scan & fix (caught something, but problem persists)
• a-squared scan and fix.
• Spyware Doctor scan.
• Spybot S&D

An now I’m running out of ideas.

System info:
WinXP pro, sp2. Not updated lately
Zonealarm, Avast, hardware firewall (router). Firefox 1.0.7 and IE6

Well, it’s becoming hard…
Do you have a second Windows installation on D:, perhaps Vista?
Did you try disabling system restore, boot, scan again?
I’ll try to think but this one seems difficult…

Actually, it’s a perhaps and a yes. I had trouble updating windows, so I did a new install. Every time I boot my system, I get to choose from two identical windows XP’s. Of course, they are not identical, but the text doesn’t show that.

I did disable system restore at an early point in the process described. Can’t remember exactly where, tho…

Hi andreads,

You should update Windows if you can.

These might be causing you some trouble:

O4 - HKCU..\Run: [KillAndClean] “D:\Program Files\KillAndClean\KillAndClean.exe”
O4 - HKCU..\Run: [iehelper] cmon14.exe
O4 - HKCU..\Run: [___] keybdll.exe

You can read a little about Kill and Clean at Spyware Warrior

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Cmon14.exe and keybdll.exe might be trojans but i"m not sure. You should wait for more input from other users on these.

Also, the online analysis says this might be suspicious

O4 - HKLM..\Run: [jcyak.exe] D:\WINDOWS\system32\jcyak.exe

You can view the entire analysis here

http://www.hijackthis.de/logfiles/8657239090458b3022d0837b4f77fed0.html

Have you tried scanning with Ewido and Spybot S&D yet?

Edit: Do you normally boot from your D: Drive?

Check this page you are infested with wareout http://www.superadblocker.com/definition/keybdll/ bear with me I’ll see if I can find a fix

Also get HJT to fix these

R3 - URLSearchHook: (no name) - {F996C4BF-3B19-024C-BAC4-EE6DD2719D45} - keybdll.dll (file missing)
O4 - HKLM..\Run: [jopplerg] StartCpl.exe
O4 - HKLM..\Run: [jcyak.exe] D:\WINDOWS\system32\jcyak.exe
O4 - HKCU..\Run: [KillAndClean] “D:\Program Files\KillAndClean\KillAndClean.exe”
O4 - HKCU..\Run: [___] keybdll.exe
O4 - HKCU..\Run: [jopplerg] keybdll.exe

Then delete the named files the ones with no location are probably in system32

Then in add remove uninstall Kill and Clean. then delete D:\Program Files\KillAndClean folder

Then run a safe mode scan with an updated Ewido.

If you have 2 windows installs on different partitions you can delete the one you don’t want (just the windows folder initially) then run msconfig - select the boot ini tab - then select check all boot paths. This will remove the second windows from your boot list. On reboot you will see the msconfig editor just check don’t show this again

fix here http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure “Run fixit” is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Then download killbox from http://www.killbox.net/

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy

D:\Program Files\KillAndClean\KillAndClean.exe
D:\WINDOWS\system32\jcyak.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Brilliant. It worked. Thank you so much for your help. I got rid of it in just over an hour, most of it being spent waiting for EWIDO to scan.

Killbox showed an PendingFileRenameOperations message: file deleted by external process. Can’t seem to find neither that nor the jcyak.exe using search tool in explorer and manual look-up.

Anyways, it appears that the virus har left the building. Thanx again, I am in your debt.

Looks like it worked. If you haven’t got spywareblaster from Javacool I’d get it, install it and update it it. It will keep most of the nasties off your system