Browser HiJacked-Can't Run Tools

[tso127]

Hi!

I've got exactly the same kind of problem with my computer as Hogan. I tried to follow the help he got, but got stuck as I couldn't install the SDFix. I managed to download SDFix.exe from the third link (in 10th post) but when I try to execute it nothing happens. The same problem occurred with MBA-M.

For what it's worth alone, I I'll post my HjT-log. At first I tried to remove some suspicious items with HjT with the help of some online analyzers, but after reading this thread I've restored them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:30, on 2.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 3DO Registration.lnk = D:\Pelit\HoMM 3\Register\Remind32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6636 bytes

P.S.
Sorry if I messed up this thread: I wasn't sure if you tend to handle all problems in their own thread or the same kind of problems in th same thread.

[jholland1964]

These two programs;
a-squared Anti-Malware Service and Lavasoft Ad-Aware Service should be TURNED OFF in services.
Do it this way, go to Start, Control Panel, Administrative Tools, Services.
This will open Services. The list is in alphabetical order. Double click a-squared listing. The the properties box for this opens first go down to the bottom and STOP the service. Once it is stopped then in the middle you will see Start up type, it is set to automatic. Click the little arrow next to Automatic and when the drop down menu opens choose Disabled.
Do the same thing for Lavasoft Ad-Aware Service.
Are you ABSOLUTELY certain you have restored all items you fixed with HJT?
I frankly see nothing wrong on your log.

See if renaming these programs will help.
Right click on SDFix and choose Rename. Then type in the following;
analyze and hit the Enter Key. Then try to double click to extract the file.
Do the same with MBA-M
If both renaming work then follow the instructions for running the tools
SDFix:
It must be run in SAFE MODE.

1. Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
2. A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.

Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button. You will then be shown a Disclaimer. Press the "Y" key to continue.
SDFix will now start scanning your computer for known infections.
This process can take a while, so you may want to do something else and periodically check back on the status of SDFix. As the scanning process continues you will continue to see new messages on the screen.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.
At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.
You will now be presented with a screen stating that SDFix has finished.
At this point you should press any key on your computer's keyboard in order to continue to your desktop.
When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Save that log and post back here with it.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Then REBOOT.
Run a new HJT scan and post back with all three logs.
Judy

[tso127]

About restored HjT-files. I can't remember doing it, but it is possible that I have fixed some items and those backups were lost when i installed the newer version of HjT and deleted the old one. This is very unlikely though. However, at the moment I've restored ALL the items from HjT's "View the list of backups" option. Come to think of it, I remember seeing some "file missing" items on my previous HjT logs, belonging to avast IIRC. But those files were just probably lost because I've reinstalled the avast.

Renaming the programs helped. Thanks.

BUT I couldn't remember the admin password when I tried to log in with it in safe mode. So, I ran SDFix with normal user and the log file revealed it couldn't perform deep scan. How important is it, the deep scan - do i need to regain the admin pw somehow? There seemed to be lots of advices on the net how to do it, hopefully safely.

Here's the logs:

SDFix: Version 1.240
Run by Juho on ke 03.12.2008 at 15:22

Microsoft Windows XP [versio 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll
Could Not Remove C:\WINDOWS\system32\TDSSbrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 15:28:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Juho\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\StrongDC++\\StrongDC.exe"="C:\\Program Files\\StrongDC++\\StrongDC.exe:*:Enabled:StrongDC ++"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\Juho\\Ty”p”yt„\\utorrent.exe"="C:\\Docum ents and Settings\\Juho\\Ty”p”yt„\\utorrent.exe:*:Enabled:æ Torrent"
"C:\\Program Files\\LabF.com\\WinaXe_Plus\\Xwppeg.exe"="C:\\Pro gram Files\\LabF.com\\WinaXe_Plus\\Xwppeg.exe:*:Enabled :xwppeg"
"C:\\Program Files\\LabF.com\\WinaXe_Plus\\Xserver.exe"="C:\\Pr ogram Files\\LabF.com\\WinaXe_Plus\\Xserver.exe:*:Enable d:Xserver"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\H elpCtr.exe:*:Enabled:Et„tuki - Windows Messenger ja „„niyhteys"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"D:\\Pelit\\D II\\D2Loader-1.11b.exe"="D:\\Pelit\\D II\\D2Loader-1.11b.exe:*:Enablediablo II"
"D:\\Pelit\\NwN 2\\nwn2main.exe"="D:\\Pelit\\NwN 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"D:\\Pelit\\NwN 2\\nwn2main_amdxp.exe"="D:\\Pelit\\NwN 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"D:\\Pelit\\NwN 2\\nwupdate.exe"="D:\\Pelit\\NwN 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"D:\\Pelit\\NwN 2\\nwn2server.exe"="D:\\Pelit\\NwN 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found
C:\WINDOWS\system32\TDSSbrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 1 Nov 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!





Malwarebytes' Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3

3.12.2008 16:08:52
mbam-log-2008-12-03 (16-08-52).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 111564
Time elapsed: 34 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS4f24.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS53e7.tmp (Trojan.TDSS) -> Delete on reboot.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:46, on 3.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ntvdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 3DO Registration.lnk = D:\Pelit\HoMM 3\Register\Remind32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6413 bytes


Oh, I didn't mention my first post that avast and a-squared both found few troijans and I quaranteed them.

[jholland1964]

I think everything looks good. What SDFix didn't remove in normal mode then MBA-M did remove, as long as you rebooted the computer. If you didn't of course do so now.
Your HJT log also looks good too. You need to update your Java program as yours is way out of date, this can lead to security issues so it should be kept up to date.
First thing to do is go HERE to download the latest version. Choose the Offline Install file. Download and save it to the desktop.
Once it is downloaded then go to Start, Control Panel, Add/Remove. Uninstall ALL old versions of Java that you see there. Once the uninstall is complete then go to that java install file on the desktop and double click to install. A word of caution here, pay close attention to the different pages that are displayed there in that java install program. Now on one of them is a box, with a check mark in it, which will allow the install of the Yahoo tool bar, TAKE THAT CHECK MARK OUT OF THERE. That way you won't end up with that on your browser. It is more trouble than it is worth.
Then allow the installation to proceed. Once it is complete then go back to that download page link I just gave you and on the Right side of the page you should see Verify Now. Click that to go to the test page to verify the installation was completed correctly.
Judy

[tso127]

Done.

Everything seems to be ok now.

Thanks for your help Judy. Much appreciated.

[jholland1964]

Glad I could be of help.
Judy