[teenee23]

HP Pavilion zt3000
WIndows XP (Service 3 package uploaded today)
768 RAM

AVG 8 anti-virus (upgraded today from 7.5)Zone alarm
Ad-aware anti-spyware

Mostly use Fire fox and use Internet Explorer rarely

Hello Everyone!

This is going to be one long message so please bear with me.

On Friday (8th August), I was trying to search online if I cud find a way to watch the Olympics online and carelessly downloaded a plug-in as some site suggested and that was it...all of a sudden I was receiving these security alerts about virus infection..there was VIRUS ALERT spelt everywhere on the computer (on the chat window, in the toolbar near the time/date) and there were small windows popping with security messages...

The desktop image also changed automatically and came up with a red background with danger or something along those lines written. Needless to say, I panicked and tried to update and run a virus and spyware scan but unfortunately they couldn't update...a connection failure message kept popping all the time...in spite of which I ran the scan and found 8 Trojan infections (Im sorry...I didn’t save the log and deleted them)

What it did to my computer was - my C drive went missing...I cudn't access the C drive to do a system restore or to access Add/remove programs and didn't know what to do...finally after a couple of hours I realised I could access them using my computer (it has add/remove programs on the side)..

I randomly removed anything I was suspicious about and when I restarted things appeared to be normal again...the system failed to restore (tried a couple of times)...

but it wasn't until I tried to access the internet I found trouble again....every time I entered AVG updates/page on Google, it came up with options but when I clicked to open them, it would come up with irrelevant sites and not the ones mentioned. When I entered the address on the toolbar the page failed to display..one thing that constantly kept appearing was download ANTIVIRUS 2009….it automatically navigated me to this page and this wud come up all the time in the form of pop-up windows.

Also, I realised that gmail was experiencing trouble and so were many other websites. They would open and when I click on an option, the next page wouldn’t open…it would remain blank and when refreshed it wouldn’t display the page.

At this point, I have the updated version of AVG, Ad-aware (got teh .bin files from the internet with the help of a friend), Firefox.

There is one program in add/remove programs that I am very suspicious about…tried to remove it several time but it freezes after a point and I’m forced to shut the application (cancel uninstall)..its called TBS WMP plug-in. The support information says CNN but I’m not sure..


At this point, though the desktop and the rest have been restored, the Internet explorer and Fire fox are behaving in an erratic manner. The only way to check mails and browse without any problem is by entering the web address in the address bar of My computer (I was told to try this by a friend of mine and it works) but this simply cannot go on since every time something fails, I have to manually do it on My computer.

Can someone tell me how to restore my computer to function normally?

Many thanks for your time and patience.

[teenee23]

Hi again -

I just realised when the scheduled system scan was run was AVG, 2 infections were found and healed (Trojan Horse Generic_c.HFB and Trojan Horse Generic_c.HEZ). They are healed and in the virus vault....should I delete them from the vault?!

[evilfantasy]

You can empty the quarantine. We should also check for anything that may be hiding.

Download Malwarebytes Anti-Malware.exe and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• Be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.
• The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

• Copy & Paste the log in your post.

----------

Download and rename TrendMicro HijackThis™.exe (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename
  • Type in sniper.exe and press Enter
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HijackThis.
• Important! If using Windows Vista, Right-click and Run As Administrator
• Click on Do a system scan and save a log file
• HijackThis will scan and then a log will open in notepad.
• Copy & Paste the entire contents of the log in your post.
  • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Note: Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.


Next post add
MBAM log
HJT log

[teenee23]

Many thanks for taking the time to reply in detail.

Please find the logs enclosed:

MBAM

Malwarebytes' Anti-Malware 1.24
Database version: 1040
Windows 5.1.2600 Service Pack 3
12:44:54 11/08/2008
mbam-log-8-11-2008 (12-44-54).txt
Scan type: Quick Scan
Objects scanned: 48115
Time elapsed: 6 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.DNSChanger) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{84562fca-ee8b-4585-a1d1-eae97b23370e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48e92754-2daf-4de4-8385-34f631580e9b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1c23ba2-8f20-4c01-b663-7ff2b3421194} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d37d6c1a-7ba4-47f4-9bf2-75031e257df6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f4406238-983a-4845-9053-f1d0007fd135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssin k (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssin k.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{abbf8b85-b433-8c3f-4e5f-ff5f06232848} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abbf8b85-b433-8c3f-4e5f-ff5f06232848} (Adware.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.DNSChanger) -> Delete on reboot.
C:\WINDOWS\system32\RichVideoCodec.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\eerk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\xokvrpwg.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssl.dll (Trojan.DNSChanger) -> Delete on reboot.
C:\Program Files\RichVideoCodec\MultiLoader.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\tfnslopk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\lnvegaow.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ramithra Mohandass\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ramithra Mohandass\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ramithra Mohandass\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.



HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:42, on 11/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog
Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend
Micro\HijackThis\sniper.exe.exe
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper -
{02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) -
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program
Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for
Internet Explorer -
{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO -
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program
Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker -
{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program
Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Veoh Browser Plug-in -
{D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program
Files\Veoh
Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program
Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program
Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program
Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program
Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI
Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Voipwise] "C:\Program
Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash
-minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Program
Files\VoipDiscount.com\VoipDiscount\VoipDiscount.e x
e" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheap] "C:\Program
Files\VoipCheap\VoipCheap.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh
Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'Default
user')
O4 - Startup: WordWeb.lnk = C:\Program
Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype -
{77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program
Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
(Installation Support) - C:\Program
Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5
Controls/en/x86/client/wuweb_site.cab?1205676063069
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
(DivXBrowserPlugin Object) -
http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner -
{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program
Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com -
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service
(aawservice) - Lavasoft - C:\Program
Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) -
AVG Technologies CZ, s.r.o. -
C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG
Technologies CZ, s.r.o. -
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) -
Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager
(IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\1050\Intel
32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX
Agent Service (default)) - Analog Devices, Inc. -
C:\Program Files\Analog
Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon)
- Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8209 bytes

[evilfantasy]

PLease run a new HijackThis scan and this time before posting it in Notepad go to Edit > and click Word Wrap. Then post the log.

Also let me know how the PC is now.

[teenee23]

Hi again,

Thanks for the reply. I belive the word wrap was checked before the previous post was done, however, I am reposting the new one now. Im still unable to view gmail and yahoo mail and search results from google on IE or Fire fox...still using the address bar of My computer..thank you!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:16, on 11/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipDiscount] "C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.e xe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheap] "C:\Program Files\VoipCheap\VoipCheap.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1205676063069
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8289 bytes

[teenee23]

Hi again

I have some great news - I just chekd to see if the AVG and ad-aware were able to connect to the iternet and check for updats (without me having to download the .bin file) and guess what? It worked!
I am also able to check yahoo mail now and gmail is a little temperamental still but the rest seems to be allright.

I cannot thank you enough for beign so kind to take the time to respond - heart-felt thanks!

Does this mean that I can uninstall the two programs or should I let them stay?

Thanks again!

[evilfantasy]

The HJT log looks fine. You can uninstall HijackThis but keep MBAM and update then scan with it occasionally to make sure nothing has gotten in.

Let me know if you have any questions.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
• Click OK
• Click the More Options Tab.
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I would suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Use only trusted security software like the programs listed on this page. Trusted security tools & resources