Thanks a lot for your reply. This computer belongs to a friend of mine, and as you can see he has not had any antivirusprogram installed. SP2 is not installed either.
After the last hijackthis-log I posted, I have installed Norton Antivirus 2006, run Spybot and Ad-Aware in addition to Ewido and a2 as you told me to do.
The logs of Ewido, a2 and hijackthis are posted below. Is it safe to install SP2 and other Windows updates now?
Again, thank you for helping me out on this case.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 13:36:02, 26.02.2006
+ Report-Checksum: 3C87450C
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f21bd77e-0cce-c6cd-4f85-aa3b7895988e} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff731508-cd28-e0b0-3e85-0cf55fde9fba} -> Adware.CoolWebSearch : Cleaned with backup
[1692] C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
[1700] C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\system32\birdasfihuy32.dll -> Proxy.Small.ct : Cleaned with backup
C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
::Report End
a-squared Report
Scan started: 26.02.2006 17:17:12
Scan finished: 26.02.2006 17:30:34
Scan duration: 0h 13min 21sec
Scanned files: 87630
Infected files: 24
Object Diagnosis
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt Trace.TrackingCookie
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt Trace.TrackingCookie
C:\Documents and Settings\Administrator\Skrivebord\smitRem\Process.exe Riskware.RiskTool.Win32.Processor.20
Logfile of HijackThis v1.99.1
Scan saved at 17:34:26, on 26.02.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\a-squared\a2start.exe
C:\Programmer\hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [SHDOC] C:\WINDOWS\system32\shdocapi.exe home
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
https://java.sun.com/products/plugin/au ... s-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{981C7B34-FFD9-49CD-BD5F-9B050E7B6BAC}: NameServer = 195.159.0.100 195.159.0.200
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe