Hi Roofel,
Did you see this Norwegian link?: http://forumet.no/index.php?s=7eef383fa07125bd199b9f0e9613952b&showtopic=65982
polonus
Yep, I did see it 
It didnt exactly resolve my problem… I know because I posted it some time ago 
I also found some Registry keys about vmover.exe
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
ControlSet002
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe\Enum]
"0"="Root\\LEGACY_VMOVER.EXE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
ControlSet003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
CurrentControlSet
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe\Enum]
"0"="Root\\LEGACY_VMOVER.EXE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Had to post in a new post because it exceeded the char limit of 10000 chars
really good news about the MBAM and SAS Scans
nothing new in your hjt
you know the issues with the 023
the 016’s are gone
do you use all the toolbars remove the ones you do not use conventional means
do you use?
C:\Program Files\Windows Live\Messenger\msnmsgr.exe double check or remove and reinstall
I usually only see oddball locations in Vista
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
not dangerous but unnecessary uses resources
Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start → Settings → Control Panel
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
Unknown
O4 - Global Startup: gamma.hta
google on 04 ctfmon not usually necessary at boot time (and the file above)
see
http://support.microsoft.com/kb/282599
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
04 Not dangerous, but unnecessary. QuickTime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Not dangerous, but unnecessary
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
This entry should be fixed if this address does not belong to your PC-manufacturer or your ‘Internet-Service-Provider (ISP)’.
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe Is this really necessary?
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Possibly nasty! According to our database this process runs normally in c:\programme\msn messenger!
you have both windows live messenger and msn messenger
is one Instant messenger and the other "windows messenger- to enhance your internet experience??))
you need to get SP 3 installed
run secunia software inspector
clean up CCleaner or ATF Cleaner
Defrag
new restore point
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04, on 2008-10-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider ‘c:\program files\bonjour\mdnsnsp.dll’ missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 5366 bytes
Gonna fix Ctfmon later on, did Step 1 in the Microsoft link you had
Installed SP3 last night Ment I had installed it but I hadnt 
The new Live Messenger(Formerly MSN Messenger) is placed in Program Files\Windows Live\Messenger\
I had uninstalled MSN messenger but some files was still left behind by the installer Removed them and the entry said Missing File so i deleted it
I got OpenOffice installed on my PC because of the school and such using OpenOffice
Is it possible to just remove The Office pack and therefore remove Ctfmon and all that?
I dont know if that is a bad thing or not:
Pros:
Getting more space on the PC
Its kinda unnecessary to have since I got OpenOffice
Cons:
Might mess up my PC :S
Yes. Just use Add/Remove programs. Boot after it.
Avoid the using of registry cleaners (even Revo Uninstaller) to remove Microsoft Office. It’s too much Microsoft embedded. You must avoid messing let only the uninstaller to do its job.
Seeing as you cannot boot in safe mode, you could try using the Avira Rescue Cd, I guess,its the same as a boot time scan.It allows you to scan without booting into windows.It is really meant for pc’s that cannot be booted, but I have read of people using it,even though they can boot.You download the disc then double click on it.You will then be prompted to burn the program to cd,the download contains the latest definitions,so no need to update.Insert the cd and reboot.Then choose option 2 ( boot into rescue system ) Choose your language English or German then press SPACE then enter.Then choose scan and enter.Apparently you are recommended to back up your data, so it is NOT WITHOUT RISK
Regarding the gamma.hta entry, I can find very little,most of the hits are from you ( some Norwegian).I still think thats odd.But I am a total beginner.One other hit,oddly was from someone who had exactly the same problem as you.( 3 years ago )Your submission http://www.virustotal.com/analisis/67f96cc15fdac09462b880639a80e5c4
http://newsgroups.derkeiler.com/Archive/Alt/alt.comp.anti-virus/2005-08/msg00464.html
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
Newest HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04, on 2008-10-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider ‘c:\program files\bonjour\mdnsnsp.dll’ missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 5351 bytes
I have removed Microsoft Office and rebooted so it is gone now Is it safe to “fix” Ctfmon entries and Excel from it?^^,
Where exactly did you extract the file that you submitted to Virustotal ? Was it from the chest ?
Yes, I extracted it from the Chest and extracted it to a folder while having the folder in the avast! exeption list. Why do you wonder?
as said above I would not FIX MS OFFICE or EXCELL entries with HJT
let’s find another guinea pig who has tried it successfully first
is there more removal info in the MS tech link?
amazing virus total report
have we run an on line av scan like bit-defender etc? (watch for fp-s)
have we run the trend micro anti rootkit scan? (any hidden re-installers?)
hjt looks good
Hi :
Except he still has that malware-prone Adobe Reader that I posted about
with a Link to IMPORTANT Info posted by polonus .
Any reason why you are still using the vulnerable IE6?
IE7 has much more security:
http://technet.microsoft.com/en-us/library/cc512583.aspx
http://articles.techrepublic.com.com/5100-10878_11-6130844.html
Using Firefox to everything so updating IE hasnt been first priority xD It doesnt show up at Windows Update and its not under “hidden updates” in Windows update -.-
Well, Foxit Reader is only a trial so rather stick to Adobe Reader(Might not be updated though, thought i had done it last time i opened 
)
±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.2.0.1014
±---------------------------------------------------
–== Dump Hidden MBR and Hidden File on C:\ ==–
No hidden files found.
–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.
–== Dump Hidden Process ==–
No hidden processes found.
–== Dump Hidden Driver ==–
No hidden drivers found.
Ive run several online scans from TrendMicro’s and recommended ones from ITsites
Didnt exactly think of having 3 posts in a row but… Yeah
Foxit Reader (http://www.foxitsoftware.com/) isn’t a trial, it is freewear and what I use for PDFs, if you have that then you could get rid of acrobat completely so no need to update it.
The site i was on was giving it out for a trial periode(Most likely the pro version) but i have uninstalled Adobe Reader and installed Foxit Reader, its alot faster than Adobe also so xD
None got anymore suggestions? ???
Did you try the Avira cd ?