Need help with my HJT Log (Hit a dead end)

[buddha]

I have came to a dead end with my recent battle with some Mal/Spy/Adware and I need to reach out to get some help.

I got infected by multiple programs and got rid of the major things that were creating popups and making Avast go off about every 10 minutes which I thnk was the caused from Vundo which I got the vundofix and ran that a removed it and that seemed to work but I am still getting hit in Avast.

Steps I have taken:
1. All Virus and Spy apps are up to date
2. Ran Spybot, Adware and Windows Defender
3. Ran in safe mode multiple times
4. Removed Vundo with VundoFix

I have above average knowledge with comps and everything I know to do I have done and I see things in the HJT log but I am not really sure what program infected me to remove them since I am not familiar with HJT.

Here is my log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:08:24 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\nic\Desktop\HiJackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realset
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 6315 bytes

[buddha]

Still in need for help with this. I just got an alert from Windows Defender about Ipwindows and when I have done searches on the net about this Vundo comes up and I have ran the VundoFix already and it keeps coming back.

Any help is appreciated.

[buddha]

Sorry for the multiple posts but I dont see an edit option.

Adding DSS scan

Deckard's System Scanner v20070426.43
Run by nic on 2007-05-01 at 13:01:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2007-05-01 17:02:12 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2007-05-01 16:09:08 UTC - RP8 - Windows Defender Checkpoint
7: 2007-04-30 17:19:08 UTC - RP7 - Installed Windows Installer Clean Up
6: 2007-04-30 14:53:39 UTC - RP6 - Installed Ad-Aware SE Personal
5: 2007-04-29 16:07:21 UTC - RP5 - System Checkpoint


-- First Restore Point --
1: 2007-04-26 16:51:41 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as nic.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:04:59 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\nic\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\nic.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realset
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 VClone - c:\windows\system32\drivers\vclone.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 Ndismeetro (Meetro NDIS Protocol Driver) - c:\windows\system32\drivers\ndismeetro.sys <Not Verified; Meetro; Meetro>
R3 A3AB (D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)) - c:\windows\system32\drivers\a3ab.sys <Not Verified; D-Link Corporation; D-Link Wireless Network adapter>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-01 02:05:20 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-04-29 19:14:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-05-01 12:54:09 0 d-------- C:\Program Files\SpywareBlaster
2007-05-01 12:50:58 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-01 1255 0 d-------- C:\Program Files\Ipwindows
2007-04-30 13:19:11 0 d-------- C:\Program Files\Windows Installer Clean Up
2007-04-30 13:18:49 0 d-------- C:\Program Files\MSECACHE
2007-04-30 10:53:41 0 d-------- C:\Program Files\Lavasoft
2007-04-30 10:50:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 08:50:58 0 d-------- C:\WINDOWS\LastGood
2007-04-26 12:14:04 0 d-------- C:\VundoFix Backups
2007-04-26 11:51:35 0 d-------- C:\Program Files\InetGet2
2007-04-25 13:09:32 132660 --a------ C:\WINDOWS\system32\uhcmojut.dll
2007-04-24 18:51:55 0 d-------- C:\Program Files\Windows Defender
2007-04-23 1341 281172 ---hs---- C:\WINDOWS\system32\awvvv.dll
2007-04-23 12:57:08 40183 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2007-04-23 11:22:49 0 d-------- C:\Program Files\QuickTime
2007-04-10 11:12:40 0 d-------- C:\WINDOWS\.jagex_cache_32


-- Find3M Report ---------------------------------------------------------------

2007-05-01 12:42:49 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-05-01 12:10:54 0 d-------- C:\Program Files\Trillian
2007-04-30 10:53:54 0 d-------- C:\Documents and Settings\nic\Application Data\Lavasoft
2007-04-23 16:26:39 0 d-------- C:\Documents and Settings\nic\Application Data\uTorrent
2007-04-23 12:01:43 0 d-------- C:\Program Files\mIRC
2007-04-23 11:15:49 0 d-------- C:\Program Files\Apple Software Update
2007-03-27 23:54:27 0 d-------- C:\Program Files\Logitech
2007-03-15 10:08:13 101438 --a------ C:\WINDOWS\b122.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\qohvxdvv.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} C:\WINDOWS\system32\awtss.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
@=""
"Launch LGDCore"="\"C:\\Program Files\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"C:\\Program Files\\Logitech\\G-series Software\\LCDMon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uhcmojut.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Startup Manager"="C:\\Documents and Settings\\nic\\Application Data\\Systweak\\ASO 2\\smstartUp manager.exe"
"Gadwin PrintScreen 3.5"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3F9D0C61-737D-44D1-BD80-91AF857061CC}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s3k_autoupdate"
"hkey"="HKCU"
"command"="C:\\Program Files\\Serials3k\\s3k_autoupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IntelMEM"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dff9d237-d3e9-11db-925b-00123fd55adb}]
Shell\AutoRun\command F:\CA_Install.exe


-- End of Deckard's System Scanner: finished at 2007-05-01 at 13:05:42 ---------

[Sempurna]

Hi Buddha,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

NEXT:

Please download VirtumundoBeGone:

• Save it to the desktop.
• Close all running programs (including your Internet browser).
• Double-click VirtumundoBeGone.exe on the desktop.
• Follow the directions as indicated.

This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".

To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realest


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\WINDOWS\system32\uhcmojut.dll
  C:\WINDOWS\system32\uhcmojut.dll
  C:\WINDOWS\b122.exe
  C:\WINDOWS\system32\awvvv.dll
  C:\Program Files\InetGet2
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
• Click the red MoveIt! button.
• Close OTMoveIt.
• Please post the log from OTMoveIt, located here:
  
  C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
  
  Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the VirtumundoBeGone scan.
2. The log from the ComboFix scan.
3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[buddha]

Your instructions were very easy to follow and very appreciated. Here are the logs.


[05/02/2007, 12:05:53] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\nic\Desktop\VirtumundoBeGone.exe" )
[05/02/2007, 1202] - Detected System Information:
[05/02/2007, 1202] - Windows Version: 5.1.2600, Service Pack 2
[05/02/2007, 1202] - Current Username: nic (Admin)
[05/02/2007, 1202] - Windows is in NORMAL mode.
[05/02/2007, 1202] - Searching for Browser Helper Objects:
[05/02/2007, 1202] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/02/2007, 1202] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\qohvxdvv
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\qohvxdvv, continuing.
[05/02/2007, 1202] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/02/2007, 1202] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/02/2007, 1202] - BHO 5: {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\awtss
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[05/02/2007, 1202] - Finished Searching Browser Helper Objects
[05/02/2007, 1202] - Finishing up...
[05/02/2007, 1202] - Nothing found! Exiting...


DllUnregisterServer procedure not found in C:\WINDOWS\system32\uhcmojut.dll
C:\WINDOWS\system32\uhcmojut.dll NOT unregistered.
C:\WINDOWS\system32\uhcmojut.dll moved successfully.
File/Folder C:\WINDOWS\system32\uhcmojut.dll not found.
C:\WINDOWS\b122.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\awvvv.dll NOT unregistered.
C:\WINDOWS\system32\awvvv.dll moved successfully.
C:\Program Files\InetGet2 moved successfully.

Created on 05/02/2007 12:18:28

"nic" - 07-05-02 12:21:42 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\nic\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\Program Files\ipwindows


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-01 13:01 <DIR> d-------- C:\Deckard
2007-05-01 12:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-01 12:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-30 13:19 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-04-30 13:18 <DIR> d-------- C:\Program Files\MSECACHE
2007-04-30 10:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 10:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 08:50 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-26 12:14 <DIR> d-------- C:\VundoFix Backups
2007-04-24 18:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-04-23 11:22 <DIR> d-------- C:\Program Files\QuickTime
2007-04-10 11:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 01:39 152833 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-01 12:42 -------- d-------- C:\Program Files\mozilla thunderbird
2007-05-01 12:10 -------- d-------- C:\Program Files\trillian
2007-04-23 12:01 -------- d-------- C:\Program Files\mirc
2007-04-18 12:16 733824 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-18 12:12 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-18 12:12 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-18 12:10 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-18 12:09 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-18 12:07 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-18 12:06 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-03-27 23:54 -------- d-------- C:\Program Files\logitech
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
@=""
"Launch LGDCore"="\"C:\\Program Files\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"C:\\Program Files\\Logitech\\G-series Software\\LCDMon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Startup Manager"="C:\\Documents and Settings\\nic\\Application Data\\Systweak\\ASO 2\\smstartUp manager.exe"
"Gadwin PrintScreen 3.5"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s3k_autoupdate"
"hkey"="HKCU"
"command"="C:\\Program Files\\Serials3k\\s3k_autoupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IntelMEM"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dff9d237-d3e9-11db-925b-00123fd55adb}]
Shell\AutoRun\command F:\CA_Install.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 12:27:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-02 12:27:38
C:\ComboFix-quarantined-files.txt ... 07-05-02 12:27

[buddha]

Logfile of HijackThis v1.99.1
Scan saved at 12:30:50 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[Sempurna]

Hi Buddha,

You’re most welcome, Buddha. I’m glad to hear that you had no problems following the directions I posted.

Let’s see if there’s anything else lurking in your system.

Please download CCleaner (freeware) and save it to your desktop:

• Run the CCleaner installer.
• During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
• Once installed, run CCleaner and click the Windows tab.
• Select the following:
  • Check everything under the Internet Explorer section.
  • Check everything under the Windows Explorer section.
  • Check everything under the System section.
  • Check ONLY Old Prefetch data under the Advanced section.
• Then, click the Applications tab:
  • UNCHECK everything there.
• Next, click the Options button, then click the Advanced button:
  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
• Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner:

• Click on Kaspersky Online Scanner.
• You will be prompted to install an ActiveX component from Kaspersky, click Yes.
• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded click on Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    Extended
  • Scan Options:
    Scan Archives
    Scan Mail Bases
• Click OK.
• Now under select a target to scan:
  • Select My Computer.
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As button.
  • In the File name: field, type kavscan.
  • In the Save as type: field, select Text file (*.txt).
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.

How are things running now?

[buddha]

Everything seems to be running fine and I am not getting any alerts from Avast however Kaspersky Online Scanner found a few things.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 03, 2007 5:34:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/05/2007
Kaspersky Anti-Virus database records: 312908
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84430
Number of viruses found: 12
Number of infected objects: 36 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:48:53

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\_avast4_\unp70060347.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04242007-185224.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\cert8.db Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\formhistory.dat Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\history.dat Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\key3.db Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\parent.lock Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\search.sqlite Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip ZIP: infected - 1 skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\log\plugin142_03.trace Object is locked skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text/[From Reed Arvin <reedarvin@gmail.com>][Date Fri, 12 ... /[From Kroma Pierre <kroma@syss.de>][Date Fri, 12 Aug 2005 14:27:05 +0200]/UNNAMED Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text/[From Reed Arvin <reedarvin@gmail.com>][Date Fri, 12 Aug 2005 07:50:46 -0700]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox Mail Berkeley mbox: infected - 6 skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text/[From "Stefan Kelm" <stefan.kelm@secorvo.de>][Date Mon, 18 Jul 2005 10:28:44 +0200]/text/[From "KF (lists)" <kf_lists@digitalmunition.com>][Date Thu, 11 Aug 2005 23:42:32 -0400]/UNNAMED/[From Kroma Pierre <kroma@syss.de>][Date Fri, 12 Aug 2005 14:27:05 +0200]/UNNAMED Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text/[From "Stefan Kelm" <stefan.kelm@secorvo.de>][Date Mon, 18 Jul 2005 10:28:44 +0200]/text/[From "KF (lists)" <kf_lists@digitalmunition.com>][Date Thu, 11 Aug 2005 23:42:32 -0400]/UNNAMED Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text/[From "Stefan Kelm" <stefan.kelm@secorvo.de>][Date Mon, 18 Jul 2005 10:28:44 +0200]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash Mail Berkeley mbox: infected - 5 skipped
C:\Documents and Settings\nic\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{2661C2EB-6CD4-47BA-888D-BADD6A34AE32} Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\nic\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nic\Local Settings\History\History.IE5\MSHist012007050320070504\index.dat Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Temp\hsperfdata_nic\2632 Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Temp\Perflib_Perfdata_8c0.dat Object is locked skipped
C:\Documents and Settings\nic\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nic\My Documents\ADOBE.PHOTOSHOP.CS2.ISO/Goodies/PROGRAMS & EXTRA STUFF/WinZip 9.0.6224-SR1.zip/WinZip 9.0.6224-SR1/WinZip-KEY-GEN.exe Infected: Trojan-Dropper.Win32.Delf.fl skipped
C:\Documents and Settings\nic\My Documents\ADOBE.PHOTOSHOP.CS2.ISO/Goodies/PROGRAMS & EXTRA STUFF/WinZip 9.0.6224-SR1.zip Infected: Trojan-Dropper.Win32.Delf.fl skipped
C:\Documents and Settings\nic\My Documents\ADOBE.PHOTOSHOP.CS2.ISO ISO image: infected - 2 skipped
C:\Documents and Settings\nic\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nic\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nic\UserData\index.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\PsTools\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\PsTools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000092.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000104.dll Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\awtss.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.iu skipped
C:\VundoFix Backups\cbjqwhud.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\cxgnbfyt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\gebawus.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped
C:\VundoFix Backups\hggdaab.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped
C:\VundoFix Backups\tuvspon.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C7928151-3229-4291-9A71-462740CDFE23}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\updater.exe.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\b122.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\b122.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\b122.exe NSIS: infected - 2 skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\awvvv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.iu skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\uhcmojut.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 5:41:39 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[Sempurna]

Hi Buddha,

OK, just some leftovers, and then we could probably let you go home.

Please launch OTMoveIt:

• Double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\Deckard\System Scanner\backup\WINDOWS\temp\_avast4_\unp70060347.tmp
  C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip
  C:\Documents and Settings\nic\My Documents\ADOBE.PHOTOSHOP.CS2.ISO
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
• Click the red MoveIt! button.
• Close OTMoveIt.
• Please post the log from OTMoveIt, located here:
  
  C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
  
  Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from OTMoveIt.
2. A new HijackThis log.

[buddha]

Here ya go. Appreciate all the help.





C:\Deckard\System Scanner\backup\WINDOWS\temp\_avast4_\unp70060347.tmp moved successfully.
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip moved successfully.
C:\Documents and Settings\nic\My Documents\ADOBE.PHOTOSHOP.CS2.ISO moved successfully.

Created on 05/04/2007 10:33:40


Logfile of HijackThis v1.99.1
Scan saved at 10:40:32 AM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[Sempurna]

Hi Buddha,

You’re most welcome, Buddha.

Just some loose ends to tie up, and then we can let you go home.

To create a new system restore point:

• Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
• Click Create A Restore Point then click Next. Give it a name and then click Create.
• When the confirmation screen shows the restore point has been created click Close.
• Then go to Start -> Run and type CLEANMGR.
• Disk Cleanup will open and start calculating the amount of space that can be freed.
• Once that’s finished it will open the Disk Cleanup options screen, click the More Options tab.
• Click Clean Up in the System Restore section and choose Yes at the confirmation window.

This will remove all previous restore points except the newly created one.


NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:

• CLICK HERE to download the offline installer.
  • Select Java Runtime Environment (JRE) 6u1 and click the Download button to the right.
  • Check the box that says Accept License Agreement.
  • Click on the link to download Windows Offline Installation, Multi-language.
  • Save the file to your desktop.
• Next, uninstall your currently installed version from Add/Remove Programs.
• If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
• Examples of older versions in Add/Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 2
• Reboot your system.
• Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean.

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Windows Updates (a must!)
  It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
  
  
• Firewall (a must!)
  It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
  Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
  
  
• Also make sure to run your antivirus software regularly, and to keep it up-to-date.
  
  
• SpywareBlaster
  This is a great FREE prevention tool to keep nasties from installing on your system.
  Tutorial: How to use!
  
  
• IE-SPYAD
  This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  Tutorial: How to use!
  
  
• Spybot - Search & Destroy
  This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
  Tutorial: How to use!
  
  
• Ad-Aware SE
  This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
  Tutorial: How to use!
  
  
• AVG Anti-Spyware
  This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
  User Manual: How to use!
  
  
• SUPERAntiSpyware
  This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
  Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck!


Please respond one more time and let me know you received this post, so that it can be marked as resolved, unless you have other problems.

[buddha]

Thank you for all your help! It is really appreciated.