Expert: Brian Benosky - 8/9/2008

Question
QUESTION: Hi,
Please save my laptop. Below is my hijackthis log: I can not access my display settings or my C drive. My wallpaper has been replaced with a virus alert warning in red.

StartupList report, 05/08/2008, 21:48:18
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Robert\Desktop\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert\Desktop\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LaunchApp = Alaunch
SiSPower = Rundll32.exe SiSPower.dll,ModeAgent
SiS Windows KeyHook = C:\WINDOWS\system32\keyhook.exe
SoundMan = SOUNDMAN.EXE
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PCMService = "C:\Program Files\Arcade\PCMService.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
LManager = C:\Program Files\Launch Manager\QtZgAcer.EXE
eRecoveryService = C:\Acer\Empowering Technology\eRecovery\Monitor.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
PCSuiteTrayApplication = C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
My Web Search Bar = rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
SM_IAN = C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
AVP = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O2 = "C:\Program Files\O2\bin\sprtcmd.exe" /P O2

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Polar Sync =
PcSync = C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
TomTomHOME.exe = "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
s9201 = "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\ACER.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {00A6FAF1-072E-44cf-8957-5838F569A31D}
(no name) - C:\WINDOWS\nfavxwdbkvn.dll - {265E6540-2B95-4A81-9AF9-1456522F975B}
(no name) - C:\WINDOWS\system32\yayvTnkK.dll (file missing) - {275C3279-F377-43D4-A530-C738EECA7A89}
BitComet ClickCapture - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}
(no name) - (no file) - {4E3E60F5-F691-475F-AFBA-CF9FCAB47C15}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\WINDOWS\system32\geBuRHBR.dll (file missing) - {D84C240B-99AE-4338-93E5-E1B00EA5ACE2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[WaveTab Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wavetab.ocx
CODEBASE = http://www.riffinteractive.com/setup/RiffLick.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Adobe\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/...toUploader.cab

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[Symantec Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/micr...?1195672929406

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://fpdownload.macromedia.com/get...nt/swflash.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/is...52/mcfscan.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\WinCtrl32.dl_ => C:\WINDOWS\System32\WinCtrl32.dll||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
eqvwamkl: C:\WINDOWS\eqvwamkl.dll

--------------------------------------------------
End of report, 11,969 bytes
Report generated in 0.625 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

ANSWER: Hi Robert

Please download Malwarebytes' Anti-Malware to your desktop from here:
http://www.besttechie.net/tools/mbam-setup.exe
Double-click mbam-setup.exe and follow the prompts to install the program.
  * At the end, be sure a check mark is placed next to
        o Update Malwarebytes' Anti-Malware
        o and Launch Malwarebytes' Anti-Malware
  * Then click Finish.
  * If an update is found, it will download and install the latest version.
  * Once the program has loaded, select Perform full scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
  * Be sure that everything is checked, and click Remove Selected.
  * When completed, a log will open in Notepad. Include that log and a HijackThis log with your reply.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
Thanks for getting back to me so quickly. I have been working in safe mode to get anything done.

Please find my Malwarebytes' Anti Malware log and my Hijackthis log below. I have just done both of these so they are completely up to date.
Thanks for helping once again:

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

18:50:53 08/08/2008
mbam-log-8-8-2008 (18-50-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103624
Time elapsed: 26 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 58

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBuRHBR.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f78bbd8-f1b7-4b3c-a1dc-82704eb24a01} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1f78bbd8-f1b7-4b3c-a1dc-82704eb24a01} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b7a2f9c-b13d-4629-9413-6ae672f14ff0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4b7a2f9c-b13d-4629-9413-6ae672f14ff0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SecuriSoft SARL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\320d18a1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\geburhbr -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geburhbr  -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\geBuRHBR.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\RBHRuBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\RBHRuBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rocgrn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esbqvfuq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qufvqbse.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcsptqci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP169\A0155318.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP169\A0156374.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP169\A0156376.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP169\A0156377.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0156478.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157465.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157466.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157467.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157468.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157469.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157470.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157471.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157472.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157473.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157474.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157475.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157476.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157477.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157478.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157479.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157480.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157481.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157482.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157483.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157484.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157485.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157486.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157487.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157488.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157489.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157490.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157491.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157492.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157493.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157494.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157495.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157496.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157498.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157499.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157501.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157502.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157503.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157504.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157505.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157506.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157514.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP171\A0157522.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP172\A0158525.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B202C27-1944-46D1-83D3-B827F9DBD873}\RP172\A0159532.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Windg47.sys (Rootkit.Agent) -> Delete on reboot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:59, on 08/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Robert\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: fdkowvbp - {C3FCD4C3-09EA-42DA-BED3-5452445EF824} - C:\WINDOWS\fdkowvbp.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5352/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,avgrsstx.dll,
O23 - Service: 0250541217787716mcinstcleanup -  - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9341 bytes


ANSWER: Hi Robert

We'll need to run a few other scans to clean things up.  You still have some rogue programs installed.  Please download Spybot Search & Destroy from one of the links listed here:

http://www.safer-networking.org/en/mirrors/index.html

Install the program, update it, then run a complete scan.  Then post me a new HJT scan log.  Please also confirm your antivirus as Kaspersky.  I also see AVG listed...possibly just antispyware scanner?  There should not be more than one virus protection program running on a single PC.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,

Yes Kapsersky is my main anti-virus and I donwloaded AVG after reading a few forums so can remove it if you want me to.
Spybot found some nasties - Virtumonde amongst others.
Please find my new HJT log below. Thanks once again for all your help:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:34, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Robert\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: fdkowvbp - {C3FCD4C3-09EA-42DA-BED3-5452445EF824} - C:\WINDOWS\fdkowvbp.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\frfyfyee.dll",b
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5352/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,avgrsstx.dll,
O23 - Service: 0250541217787716mcinstcleanup -  - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9865 bytes


Answer
Hi Robert

Yes you should uninstall AVG as it will lead to system instability having two antivirus programs on the same computer.  Next, download ComboFix to your Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

1. Close any open browsers.

2. Close and disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

3. Double click on combofix.exe & follow the prompts.

   * When finished, it will produce a log for you.
   * Please post the "C:\ComboFix.txt" along with a new HijackThis log.


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

Brian