There is definitely a problem- now to find where it is! There are no dates in the Eset log except for 2001, 2002 and 2004. These appears to have been infections in the Outlook Express store folders. I'd like you to delete the current Eset log entirely, the update and rescan with it, furnish a new log.
--------------------------------------
According to the current Eset log, you have been storing email that was infected with Viruses, Worms and Trojans. I can have you remove these store folders- OE will create new ones, but I'd like to see another log which hopefully will show current infections more clearly.
-------------------------------------
As for this:
When ComboFix displayed "Preparing Log Report. Do not run any programs until ComboFix has finished." I unplugged the machine from the Internet.
It appears that you may have interrupted Combofix before it had finished.
-----------------------------------
Please reopen HijackThis to
'do system scan onlt.' Check the following entries
if present: Optional removals are in green.Please consider them.
Do you need to have this fax start on boot? If so, leave. If not, check for HJT to remove.
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R>> >>eFax Messenger from j2 Global Communications Europe.
Are you connecting remotely to your PC? If so, leave the following 2 entries. If you are not, check to have HJT remove:
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
(ExpertCity GoToMyPc logon - web-based remote-access solution that allows individuals and companies to register their computers online and then securely access those computers from any web browser)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [hpbdfawep] "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" 1
O4 - HKLM\..\Run: [HP OfficeJet T Series] "C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet T Series\Install">> initializes the Office Jet manager each time the computer is booted up or rebooted
O4 - Startup: Microtek Scanner Finder.lnk = ?
O4 - Startup: NkvMon.exe.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: eFax 4.3.lnk = ?
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - >> MWSearch spyware
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - >> web conferencing through Cisco WebEx
There are 2 of the following processes running. They are for a file indexing system on the OS. The process is known to be a very high resource user and we usually recommend stopping this:
C:\WINDOWS\system32\cidaemon.exe>> See Option 1
C:\WINDOWS\system32\cidaemon.exe
Option 1: From Microsoft:
* The current CPU utilization is high.
* The size of the pagefile may be as large as 1.2 GB or more.
* The Cidaemon.exe process uses lots of pagefile space and lots of CPU time.
The Cidaemon.exe process builds and updates the Index catalog. Additionally,
the Cidaemon.exe process typically uses lots of pagefile space and lots of CPU time.
To resolve the issue,
turn off the Indexing service. To turn off the Indexing service, follow these steps:
[1]. Double-click My Computer, point to Explorer Bar on the View menu, and then click Search.
[2]. Click Change preferences, and then click Without Indexing Service.
[3]. Click No, do not enable Indexing Service, and then click OK.
Close all Windows except HijackThis and click on
"Fix Checked."
About s882388>> Troj/Zbot-LA communicates via HTTP with the following locations: IP 91.213.94.131. As I mentioned previously, this is for the Bogonet-net in Poland
Troj/Zbot-LA includes functionality to:
- copy iteslf to the folder
- run automatically
- create batch scripts
- access the internet and communicate with a remote server
via HTTP
For your own protection, I suggest you download Autoruns and Autorunsc: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
You can use the Command Prompt when you run the program to shows the results you want.
Notes from Combofix: you have some very old files still on the machine- files going back to 1999. you are advised to review these files and delete or uninstall any that are not currently needed. There are still entries from Symantec, dated 2003
It appears that you have given all your programs- including games, internet access to go through the firewall. This presents a vulnerability to you.
There is a lot here to digest. you may have handled some of it after my corrupted reply. I would like you to delete the current Eset log and the current Combofix log from your desktop. Then run each program again> provide new logs. Rescan with HJT and include new log.