I cant get rid of this trojan. Scanned with Kaspersky - nothing, Ive tried everything. What this trojan does is open up IE at random times and takes me to sites like Broadcaster, Amaena, and some sites want me to download fake antiviruses. Please help. Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:25:34 AM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\DAP\DAP.EXE
D:\Documents and Settings\Ahmad\My Documents\My Completed Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.net.sy:3128
O2 - BHO: (no name) - {2E9EF1F8-F91F-4BC9-9CBE-691CC29E7843} - D:\WINDOWS\system32\rfvshfqc.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - D:\WINDOWS\system32\awtqrop.dll
O2 - BHO: (no name) - {A10D8BFF-27FF-4365-9666-1DFD5963FC96} - D:\WINDOWS\system32\jkhhf.dll
O2 - BHO: (no name) - {B7F10FA8-4E8A-4C5D-966C-653DACADF02C} - D:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - D:\WINDOWS\system32\jwvdflif.dll (file missing)
O4 - HKLM\..\Run: [LanzarP2006] "D:\DOCUME~1\Ahmad\LOCALS~1\Temp\{46F920BB-78D1-4E27-B654-333E4BBEE00B}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "D:\WINDOWS\system32\nnetpeku.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FBFB18-0E9E-4B17-8118-E7C00E6C0731}: NameServer = 192.168.2.14 192.168.2.9
O20 - Winlogon Notify: awtqrop - D:\WINDOWS\SYSTEM32\awtqrop.dll
O20 - Winlogon Notify: jkhhf - D:\WINDOWS\system32\jkhhf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - D:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - D:\WINDOWS\system32\ieframe.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3884 bytes

Hello AhmattoO,

I can see that you are now really having lots of problem.A serious malware have infected your computer.As I can see it,You have been using Nokia Software to transfer files from your computer to your handphone.I suspected your phone may have virus that send files from your phone to your computer that makes it more malware.I also do see that you are running yahoo messenger and msn messenger.I will strongly encouraged you to uninstall it to make sure no one send files to you.Yahoo and Msn do connect with Broadcaster,YouTube and much more fake antivirus software without letting you know and installed in your computer secretly without you knowing.This kind of bugs will not be shown inside Ccleaner or even Add or Remove program located inside control panel.It will be at the C:\



Also do on hijackthis in your computer when you are on.Make sure that you don't turn on any program accepct it launch in startup.Scan your computer and fix this items below.


O2 - BHO: (no name) - {2E9EF1F8-F91F-4BC9-9CBE-691CC29E7843} - D:\WINDOWS\system32\rfvshfqc.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - D:\WINDOWS\system32\awtqrop.dll
O2 - BHO: (no name) - {A10D8BFF-27FF-4365-9666-1DFD5963FC96} - D:\WINDOWS\system32\jkhhf.dll
O2 - BHO: (no name) - {B7F10FA8-4E8A-4C5D-966C-653DACADF02C} - D:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - D:\WINDOWS\system32\jwvdflif.dll (file missing)


Put a tick beside this datas in hijackthis.

And click the fix button.After fixing remember to restart your computer.

After restarting your computer,scan your computer again with hijackthis.

Post your next hijackthis log in your next reply.

Benjamin

Thanks for helping me..

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:03:39 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\wuauclt.exe <<<<<<<<<<" is this normal ? "
D:\Documents and Settings\Ahmad\My Documents\My Completed Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.net.sy:3128
O4 - HKLM\..\Run: [LanzarP2006] "D:\DOCUME~1\Ahmad\LOCALS~1\Temp\{46F920BB-78D1-4E27-B654-333E4BBEE00B}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "D:\WINDOWS\system32\nnetpeku.dll",realset <<<<<< " Is This normal?"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FBFB18-0E9E-4B17-8118-E7C00E6C0731}: NameServer = 192.168.2.14 192.168.2.9 <<<<<<<< " Is This Normal ? "
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - D:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - D:\WINDOWS\system32\ieframe.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3298 bytes

Whoa, let's hold on here for a minute.

Benjamin, my apologies if I offend you, but I don't know you from anywhere else on the net and find that you asked for help removing this same infection from your own system in this topic just a couple of days ago and asked in another if your log was clean after that. I can appreciate your enthusiasm but HJT can cause serious system damage if used incorrectly and some of the other tools you were instructed to employ can cause even more. Have you been trained in malware removal at a reputable site? If so, I apologize. If not, please do not run the risk of damaging someone else's system.

AhmattoO: I suggest that you wait until you receive assistance from someone with the Volunteer Security Advisor label under their name. Those of us in that group know our capabilities and limitations and will not try to assist you unless we know that we are capable. I can't assist you with this particular problem but am sure that one of my colleagues can. I can answer a couple of your questions.

Yes, wuauclt.exe is the windows update utility and is running because there are windows updates available for installation. This past Tuesday was the "Patch Tuesday" for June.

It doesn't look normal, no. I would have to know more about it before saying for sure, though. The addresses shown are in the private address space and are not routable. Are you on a network where other devices may have these addresses?

That looks quite abnormal to me. I suggest, however, that you wait for one of my colleagues to assist you further.

Thanks ..
I am waitting your help ..

Hi AhmattoO,

Do next please...

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Extra note to answer some previous questions..

Yes, it's normal; this is your Router IP. More info here:
http://compnetworking.about.com/od/working...outeripaddr.htm
This all depends what router you are using.

As Oldfrog already said, it's a bad entry and needs to go. But performing my steps with Combofix should normally already delete that entry + related file.

This is ComboFix Log :
ComboFix 07-06-13.3 - D:\Documents and Settings\Ahmad\My Documents\My Completed Downloads\ComboFix.exe
"Ahmad" - 2007-06-15 3:16:57 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\system32\nnetpeku.dll
D:\WINDOWS\system32\ukeptenn.ini
D:\WINDOWS\system32\qtstv.ini
D:\WINDOWS\system32\qtstv.tmp
D:\WINDOWS\system32\qtstv.bak1
D:\WINDOWS\system32\qtstv.bak2
D:\WINDOWS\system32\qtstv.ini2
D:\WINDOWS\system32\fhhkj.ini
D:\WINDOWS\system32\fhhkj.tmp
D:\WINDOWS\system32\fhhkj.bak1
D:\WINDOWS\system32\fhhkj.ini2
D:\WINDOWS\system32\fhhkj.bak2
D:\WINDOWS\system32\qtstv.ini
D:\WINDOWS\system32\qtstv.tmp
D:\WINDOWS\system32\qtstv.bak1
D:\WINDOWS\system32\qtstv.bak2
D:\WINDOWS\system32\qtstv.ini2
D:\WINDOWS\system32\fhhkj.ini
D:\WINDOWS\system32\fhhkj.tmp
D:\WINDOWS\system32\fhhkj.bak1
D:\WINDOWS\system32\fhhkj.ini2
D:\WINDOWS\system32\fhhkj.bak2


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))


2007-06-15 03:16 49,152 --a------ D:\WINDOWS\nircmd.exe
2007-06-13 10:13 <DIR> d-------- D:\Program Files\CCleaner
2007-06-12 00:11 26,752 -ra------ D:\WINDOWS\system32\drivers\ShldDrv.sys
2007-06-12 00:11 163,856 -ra------ D:\WINDOWS\system32\drivers\PavProc.sys
2007-06-10 10:33 9,488 --a------ D:\WINDOWS\system32\sporder.dll
2007-06-10 10:33 158,200 --a------ D:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-06-10 10:33 <DIR> d-------- D:\Program Files\Panda Software
2007-06-10 10:26 <DIR> d-------- D:\Program Files\XoftSpy
2007-06-09 11:49 <DIR> d-------- D:\Program Files\Adware & Spyware Firewall
2007-06-08 22:59 225,508 --a------ D:\WINDOWS\system32\mljji.dll
2007-05-28 02:13 <DIR> d-------- D:\Program Files\Pokemon PC 2.0
2007-05-26 14:26 <DIR> d-------- D:\Program Files\BitComet
2007-05-26 13:01 <DIR> d-------- D:\Program Files\uTorrent
2007-05-26 13:01 <DIR> d-------- D:\DOCUME~1\Ahmad\APPLIC~1\uTorrent
2007-05-26 12:04 <DIR> d-------- D:\Program Files\ooVoo
2007-05-26 12:04 <DIR> d-------- D:\DOCUME~1\Ahmad\APPLIC~1\InstallShield
2007-05-25 23:55 <DIR> d--hs---- D:\FOUND.002
2007-05-25 22:41 <DIR> d-------- D:\Program Files\Speed Gear 5
2007-05-22 01:34 <DIR> d-------- D:\Program Files\Billionaire
2007-05-16 22:58 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-14 12:42:22 -------- d-----w D:\Program Files\BrainWave Generator
2007-05-12 13:59:02 -------- d-----w D:\Program Files\STB Wizard
2007-05-02 12:44:48 -------- d-----w D:\Program Files\Reallusion
2007-05-02 12:43:26 -------- d-----w D:\Program Files\ORITE
2007-04-28 12:45:10 -------- d-----w D:\Program Files\FollowMe
2007-04-28 12:39:24 -------- d-----w D:\Program Files\Ace Translator
2007-04-28 12:33:30 -------- d-----w D:\Program Files\Pwndsoft
2007-04-22 12:27:14 -------- d-----w D:\DOCUME~1\Ahmad\APPLIC~1\Weather Studio
2007-04-21 01:07:58 -------- d-----w D:\DOCUME~1\Ahmad\APPLIC~1\Nokia Multimedia Player


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanzarP2006"="D:\DOCUME~1\Ahmad\LOCALS~1\Temp\{46F920BB-78D1-4E27-B654-333E4BBEE00B}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=D:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{240E2B94-741E-4513-B66A-60EC26A9EF26}"="%SystemRoot%\system32\ieframe.dll" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders , digest.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e233666-9b4d-11db-bc24-d5075ae14b08}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d5b221e-e505-11db-bcad-b6621f667dbc}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab5d3cc0-87e0-11db-bbf7-b48621f624bd}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- H:\Recycled\ctfmon.exe


Contents of the 'Scheduled Tasks' folder
2007-06-10 08:31:18 D:\WINDOWS\tasks\XoftSpy.job
2007-06-15 01:19:48 D:\WINDOWS\tasks\XoftSpySE 2.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 03:20:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-15 3:22:31 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-06-15 03:21

--- E O F ---
--------------------------------------------------------------------------------------------------------
and This is Hijack :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:35:32 AM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Ahmad\My Documents\My Completed Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.net.sy:3128
O4 - HKLM\..\Run: [LanzarP2006] "D:\DOCUME~1\Ahmad\LOCALS~1\Temp\{46F920BB-78D1-4E27-B654-333E4BBEE00B}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009" <<< is This Normal?
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FBFB18-0E9E-4B17-8118-E7C00E6C0731}: NameServer = 192.168.2.14 192.168.2.9
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - D:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - D:\WINDOWS\system32\ieframe.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 2914 bytes

Hi,

Your log looks ok.

Navigate to and delete next file:

D:\WINDOWS\system32\mljji.dll

Delete next folder:

D:\Qoobox

This is related with Panda Antivirus. It looks like you installed/uninstalled it, but never properly finished, that's why this entry is present.
You may check and fix that entry in HijackThis.

Also do next..

Go to start > run and copy and paste next command in the field:

sc delete PavPrSrv Hit enter

I also see you were dealing with a flashdrive infection previously, so do next..
* Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know in your next reply how things are now...

THANK you very much
but there are some question I'd like to ask you about
1.when I restart the pc , the Kaspersky doesn't run in the startup. is there a way to make it run without uninstalling it?
2. how do I make sure when i plug in the Flash not to have these files again in my pc
3. the problem that I am having starts with my Labtop , and it moved by flash drive to my pc , so can i post the labtop hijack log and combofix log here or open new topic?
4. which is the best antivirus , anti spy , firewall and antimalware programs that you recommend me to have?

Best way is still by reinstalling it, because it looks like some related components are corrupted/missing.
By the way, you are still using an older version of kaspersky. I suggest you update to the latest version which has improved A LOT.
Or you can install another Antivirus instead. By the way, Active Virus Shield is powered by Kaspersky and for free - latest version and signatures.
Look in my signature below for the ones I recommend.
Another great free Antivirus is Avira Antivirus - This is my personal favorite. It's great in detection and removal.

I assume you followed my instructions and plugged in your flashdrive while using the flashdisinfector? This because the flashdisinfector creates a dummy folder called autorun.inf - this in order to prevent it spreading.
Also, while your flashdrive is inserted, you'll have to perform a full scan with your Antivirus and make sure it scans your flashdrive as well.

Yes, for your laptop, it may be better to start a new thread for that. Me or someone else will help you asap. I'll be quite busy for a couple of days now with other stuff, so most probably someone else will help you.

thanks you very much
you are Genius ..
I wish you the one who solve my labtop prob..
anyway, I don't know how to thank you ..
Thanks a lot..

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:48:47 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
E:\Programs\Protection\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FBFB18-0E9E-4B17-8118-E7C00E6C0731}: NameServer = 82.137.208.1 62.140.73.2
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Browseui preloader - {240E2B94-741E-4513-B66A-60EC26A9EF26} - D:\WINDOWS\system32\ieframe.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - D:\WINDOWS\system32\ieframe.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 2809 bytes

Hi,

Why are you posting this log?

another problem in my pc .. it's in my computer when i double click any hard drive c or e or f it tells me an error msg
and when i right click on one of them i find two open orders one is lloks like that > open(0)
and it's bold and the other is maybe the forth in order and it's normal without 0 next to it
how can i fix that .. it's in my pc and on the labtop

Can you post a new Combofix log please? Guess you never created the fix.reg properly previously.

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.