i keep getting newname, keyboard, and mouspad. how do i remove?

Unknown

hello. i keep getting some strange files, such as minime, newname, etc. attached is my hjt log. spyware doctor detected something, but said objects keep coming back. please help. thank you!

Logfile of HijackThis v1.99.1
Scan saved at 8:23:08 PM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\k4nv.exe
C:\WINDOWS\procinit.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\windrvrs32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\ACER\PSM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe
C:\WINDOWS\System32\mscommand.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hfsecure.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Fastband\bin\Fastband.exe
C:\Program Files\Fastband\bin\qcsvc.exe
C:\Program Files\Fastband\bin\qcsvc.exe
C:\Documents and Settings\mom\Desktop\runescape.exe
C:\WINDOWS\System32\bf4p.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\minime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mom\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planetprepaid.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\System32\awvtr.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O4 - HKLM\..\Run: [System Efficiency Monitor] mscommand.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TemplateDongle] lpt.exe
O4 - HKLM\..\Run: [stuffmon] new32.exe
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [dmewl.exe] C:\WINDOWS\System32\dmewl.exe
O4 - HKLM\..\Run: [Hlxozh] C:\Program Files\Ejnsw\Slbhtli.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe
O4 - HKLM\..\Run: [BF4P] C:\WINDOWS\System32\bf4p.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] c:\minime.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname9.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad9.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard9.exe
O4 - HKLM\..\RunServices: [System Efficiency Monitor] mscommand.exe
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Planet Prepaid Velocity Powered by Fastband.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\PROGRA~1\FLASHF~1\FFCom.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACFADA86-733F-43A2-9D74-1E9631740541}: NameServer = 69.50.176.156 195.225.176.31
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvtr - C:\WINDOWS\SYSTEM32\awvtr.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Process Initialization (procinit) - Unknown owner - C:\WINDOWS\procinit.exe
O23 - Service: QuikCAT Fastband service (QuikCAT) - QuikCAT Australia - C:\Program Files\Fastband\bin\qcsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe

SpywareShooter

[STEP 1] A quick favor:

Before we begin removing malware I would like to ask you a small favor. Please go to http://virusscan.jotti.org and submit the file below for analysis and post the log here. This will help complete SpywareShooter.com's HijackThis entry database.

C:\cmon.exe
c:\minime.exe
C:\WINDOWS\k4nv.exe
C:\WINDOWS\procinit.exe

[STEP 2] Fix HijackThis Entries:

Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\System32\awvtr.dll
O4 - HKLM\..\Run: [System Efficiency Monitor] mscommand.exe
O4 - HKLM\..\Run: [TemplateDongle] lpt.exe
O4 - HKLM\..\Run: [stuffmon] new32.exe
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [dmewl.exe] C:\WINDOWS\System32\dmewl.exe
O4 - HKLM\..\Run: [Hlxozh] C:\Program Files\Ejnsw\Slbhtli.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe
O4 - HKLM\..\Run: [BF4P] C:\WINDOWS\System32\bf4p.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] c:\minime.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname9.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad9.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard9.exe
O4 - HKLM\..\RunServices: [System Efficiency Monitor] mscommand.exe
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACFADA86-733F-43A2-9D74-1E9631740541}: NameServer = 69.50.176.156 195.225.176.31
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvtr - C:\WINDOWS\SYSTEM32\awvtr.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe
O23 - Service: Process Initialization (procinit) - Unknown owner - C:\WINDOWS\procinit.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe


[STEP 3] Remove Malicious Files:

Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

C:\WINDOWS\System32\awvtr.dll
mscommand.exe
lpt.exe
new32.exe
hfsecure.exe
C:\WINDOWS\System32\dmewl.exe
sndcfg16.exe
C:\cmon.exe
C:\WINDOWS\System32\bf4p.exe
c:\minime.exe
c:\windows\newname9.exe
c:\windows\mousepad9.exe
c:\windows\keyboard9.exe
C:\WINDOWS\k4nv.exe
C:\WINDOWS\procinit.exe
C:\WINDOWS\windrvrs32.exe

[STEP 4] Remove Malicious Folders:

Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

C:\PROGRAM FILES\TOOLBA~1\
C:\Program Files\Ejnsw\


[STEP 5]Run Additional Tools:

Your computer is infected with malicious pieces of software known as Look2Me and WareOut. Removal of this software is much easier with tools created just for Look2Me and WareOut removal. Please download L2MFix and FixWareout from the links below to your desktop and post the log it gives.:

http://www.downloads.subratam.org/l2mfix.exe
http://downloads.subratam.org/Fixwareout.exe

[STEP 6]Report Back to us:

Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.

fruglemonkey@hotmail.com

File: minime.exe
Status: INFECTED/MALWARE
MD5 bd277dad7a02b133dbc8a7d85bfe171e
Packers detected: PE_PATCH.UPX, UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.FirewallBypass (probable variant)
ClamAV Found nothing
Dr.Web Found BACKDOOR.Trojan (probable variant)
F-Prot Antivirus Found nothing
Fortinet Found W32/Agent.FP!tr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Agent.jr
NOD32 Found probably a variant of Win32/TrojanProxy.Agent.FP (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 6144 bytes.

[ Changes to registry ]
* Creates value "Anti-Virus Update Scheduler"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
* Sets value "c:\sample.exe"="c:\sample.exe:*:Enabled:Server" in key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
* Creates key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List".
* Sets value "c:\sample.exe"="c:\sample.exe:*:Enabled:Server" in key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List".

[ Network services ]
* Connects to "195.49.141.24" on port 10100 (UDP).
* Sends data stream (2 bytes) to remote address "195.49.141.24", port 10100.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 1146.

[ Process/window information ]
* Creates a mutex PMUTEX000003.
* Will automatically restart after boot (I'll be back...).
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

---

ummm... i couldnt find the other files, though

SpywareShooter

Thank you. Please continue to follow the steps posted above and post a new HijackThis log.