Malware-gen, Trojan-gen and Advare-gen... plase, help!

Greetings to all,

I’m new here and I hope you can help me to get rid of the viruses that just got into my PC.
I’m using Windows XP. Avast (4.8, Home Edition) detected yesterday 3 malware files (while I was browsing internet). Every time I clicked “Delete” the file, however apparently it hasn’t solved the problem. :frowning:
Besides, after closing the browser (IE), I noticed that a “Windows Warning Message” appeared on my desktop (but it’s like a wallpaper, I mean: I can’t close it, can’t drag this window, nothing is active on it - and the desktop icons are OVER it), so I suppose it’s not a genuine Windows message, but some kind of malware itself. It reads: “Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer”. And below:
“Warning! Win32/Adware.Virtumonde. Detected on your computer. Danger!”
“Warning! Win32/PrivacyRemover.M64. Detected on your computer. Danger!”
A made a screen-shot, just in case you’d like to see it.

The first time this happened Avast “detected a virus in the operating memory” and adviced me to do a run a boot-time scan. So I did. I deleted the 3 files.

However after restarting the system, the strange Windows Warning Message was still stuck to my desktop (that was changed to white, by the way) and after a while the Avast warnings popped up. The last time I started the computer Avast found these files (I moved them all to chest this time):

File name: C:\Documents and Settings\Jowita\Local Settings\Temp.ttB.tmp.v
Malware name: VBS:Malware-gen
Malware type: Virus/Worm
VPS version: 080908-0, 08/09/2008

File name: C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsw3.tmp\euladlg.dll
Malware name: Win32:Adware-gen [Adw]
Malware type: Adware
VPS version: 080908-0, 08/09/2008

File name: C:\WINDOWS\system32\blphc3v1j0el5v.scr
Malware name: Win32:Trojan-gen {Other}
Malware type: Virus/Worm
VPS version: 080908-0, 08/09/2008

And some of this malware turns off the Windows XP FIREWALL, so I had to activate it manually from the Control Panel every time after starting the Windows. >:(

OK, here’s the most recent Avast log… Looking at the file names, I see that there have been more than the 3 last ones I mentioned above:

04/09/2008 20:18:36 SYSTEM 1864 Sign of “JS:Agent-AV [trj]” has been found in “http:// www . doomshade . com/” file.

09/09/2008 05:07:19 SYSTEM 1644 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.ttD0.tmp.vbs” file.
09/09/2008 05:34:52 Jowita 5504 Sign of “Win32:Adware-gen [Adw]” has been found in “c:\docume~1\jowita\locals~1\temp\nsjd8.tmp\euladlg.dll” file.
09/09/2008 05:36:11 Jowita 5504 Sign of “Win32:Trojan-gen {Other}” has been found in “c:\windows\system32\blphc3v1j0el5v.scr” file.

09/09/2008 13:32:20 Jowita 1668 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsg3.tmp\euladlg.dll” file.
09/09/2008 13:39:21 Jowita 1668 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.tt4.tmp.vbs” file.
09/09/2008 13:39:39 Jowita 1668 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphc3v1j0el5v.scr” file.

09/09/2008 14:03:19 Jowita 2132 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{BF9F55C2-22DF-4F00-AF93-1F55C447A3B2}\RP20\A0001995.dll” file.
09/09/2008 14:04:58 Jowita 2132 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{BF9F55C2-22DF-4F00-AF93-1F55C447A3B2}\RP20\A0001996.dll” file.
09/09/2008 14:05:11 Jowita 2132 Sign of “Win32:Bravix [Drp]” has been found in “C:\System Volume Information_restore{BF9F55C2-22DF-4F00-AF93-1F55C447A3B2}\RP20\A0001997.dll” file.

09/09/2008 14:35:51 Jowita 1700 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsc3.tmp\euladlg.dll” file.
09/09/2008 14:36:44 Jowita 1700 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.tt5.tmp.vbs” file.
09/09/2008 14:37:08 Jowita 1700 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphc3v1j0el5v.scr” file.

09/09/2008 14:47:13 Jowita 1880 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsa3.tmp\euladlg.dll” file.
09/09/2008 14:47:38 Jowita 1880 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.tt7.tmp.vbs” file.
09/09/2008 14:47:44 Jowita 1880 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphc3v1j0el5v.scr” file.

09/09/2008 17:21:48 Jowita 1876 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.ttB.tmp.vbs” file.
09/09/2008 17:43:28 Jowita 1876 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsw3.tmp\euladlg.dll” file.
09/09/2008 17:45:28 Jowita 1876 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphc3v1j0el5v.scr” file.

I’d be really grateful if you could tell me step by step what I should do now.

I’ll probably reinstall Windows soon anyway (just after I finish the most urgent work), because as far as I remember, since the beginning sometimes the moment I press the button to start the PC, it starts talking: “No CPU installed” (over and over and over again until I turn off the computer). Has anybody ever heard about something like this? It happens randomly, really weird (how could it work if the CPU was not installed… and then only sometimes?). ???
Besides, since I started using this PC again (had been moving, using another one meanwhile), the DVD-RAM drive and DVD/CD-RW drive don’t work anymore. I mean, they read the CDs and DVDs, however if I insert a blank CD-R, their name on the list change into just “CD Drive” and when I double click it, a window pops up: “F:\ (or D) is not accessible. Incorrect function”.
I also cannot install the Windows updates for some reason. :frowning:

Best greetings,

Jowita

Ah, one more detail: I wanted also to check the current processes and one of them looks strange to me… It’s called “AutoJob.exe”. Can it have something to do with the viruses I got?

Ok
let’s try and get this slowed down a little
to things to
first rt click the avast ball and Update>programs
then
rt click again and schedule a boot time scan
reboot
do NOT delete send any hits to the Chest as suggested

then download, install update and run MalwareBytes Anti Malware free- bypass the nag to buy screen
with this one you Check all baddies–
then
click
REMOVE CHECKED a backup will be made
post the logs

while at the MalwareBytes site run their Free Rogue Remover
post if it finds anything

As a double check you can run SuperANtiSpyware another handy tool to have around
set it to checkeverything
quarantine any hits and post the log
nuke cookies

after we see the logs well go from there

rt click again and schedule a boot time scan reboot

You can’t do this, it isn’t an option in the avast icon right click menu.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

Disable the link in your first post by changing it from http to hxxp so no one can end up with a javascript infection.

Prevx classifies AutoJob.exe as safe.

euladlg.dll is classified as Trojan.FakeAlert by Sunbelt

I suggest:

SuperAntiSpyware Free
Spybot - Search & Destroy
SpywareTerminator
MalwareByte’s AntiMalware

I had to run out but have taken a look at your first post as has Jtaylor83

First A big Thanks to DavidR for cleaning up the thread and giving details on boot time scan
I see now that you do know how to move items to the chest
and that you have run a boot time scan

that “most recent” avast log- did you send those item to the chest?
were you unable to send any of them?

we need to get the fire out
the programs mentioned by JTaylor83 are the ones to use
and I suggested two of them to try and get the fire out
then we can clean up or dig deeper as will be indicated

make a note for later
Spybot updates Wednesday so make a note to install (with sd-helper do not install t-timer), update, immunize and scan- quarantine any hits - tomorrow
Spyware Terminator is best used for prevention- ask us about it after we’re all done

do not do this now
get the scans done
but we will want to go to virus total and upload some of those files you found
perhaps DavidR might suggest which ones and give his upload routine when appropriate

AFTER running the scans and quarantining what was found
go to the top of this forum and read the stickie involving Hijack this
post a hijack this log
DO NOT FIX ANYTHING- just scan and post or attach if long

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Thanks for the fast replies! I could not answer earlier - and the scan is still running…

I performed the boot time scan by Avast (no success, after starting the Windows the problems persisted, including the fake alert desktop), now I’m scanning the system with the second anti-spyware program. It takes hours, so I guess I’ll post the results tomorrow, but I can already say that these programs detected many more infected files, memory processes, registry keys and values… Awww! Do they multiply? I feel that the complete Windows re-installation will be necessary (as I said, maybe I’ll do it anyway in hope to solve the other 2 problems I mentioned).

As for your advice, DavidR: OK, after creating the folder “Suspect” (and excluding it through Avast)… how can I export there (copy/paste? or cut/paste?) the infected files from the chest? I mean: where is this chest?

Please Id which program you are using the second one is pretty ambiguous:)
My second one or JTaylors 2ed one
If one of them hangs up let us know

to “upload” to virus total-
go online to virustotal then use the search/upload feature in the box in the center of the screen to navigate to your new folder
post a link(s) to the result (s)

ps I do not see anything so far which would require that you nuke your whole system

I will post a summary (with the logs) soon, maybe still tonight.
The 1st scan was Malwarebytes AntiMalware and now I’m still scanning with SuperAntispyware. Then Hijackthis.

BTW (re your first post), I have the automatic updates set in Avast, so it’s updated every day.

I’ll check the files with Virus Total later… But if there are a few dozens of files…? Can’t I use some bulk uploader or something like this?

Besides, when should I nuke the cookies? Before or after using Hijackthis? I did it already earlier today, but in the first log from Malwarebytes there were some infected ones again.

You haven’t mentioned disabling System Restore (I read about it in some other post)… wasn’t it necessary in this case?

Before I post the logs, something urgent.
After rebooting the PC, the strange warning disappeared from my desktop (I guess SuperAntispyware did some good job). However immediately after the Windows started a pop-up window appeared - and it looks highly suspicious, I’m sure this is one of these viruses.

It’s claiming to be “Antivirus XP 2008 licence agreement” - and I’m sure I saw it yestarday. There is no x to close it, only below the licence text a button “Agree and install”.
Above it, it’s written: “On clicking 'Agree and install” you agree with the terms of service listed below. In case you disagree with the terms you can click here to cancel the installation. However we strongly recomend to finish the installation to keep your computer secure and protected".

I think quite the opposite… Wherever I’d click, it would install this crap (I’m sure the fake warning on my wallpaper was the effect of this, because yesterday I wanted to close this window). So I don’t even touch it for now and go on with Hijackthis.

If I don’t get a reply about what to do with this thing now, I’ll just shut down the computer without messing up with the suspected window.

Or should I end this task (“Antivirus XP 2008 licence agreement”) from Windows Task Manager???

YEs if task manager get’s it

YEs it’s one of the baddies do not click on anything
see if it is in add/delete or has an uninstall in Start>programs-- lots luck
can you get it with Ctl Alt Del
Did you have Super Kill things and send them to quarantine?

you can try DR Web Cure it on line scan
we have not run the boot time Avast or an on line Av Scan so you might go for bit-defender (just watch for False Positives with all of these

let’s see the log

Good on ya

BTW my first post- I want to double check that the Program update is current 4.8.1229
new version of MBAM out 1.27

Super found a baddie in another post yesterday that had been scanned by several other programs
a relatively new detection- That’s why we use several

use DavidR’s instruction for the boot time scan my os does not support and he is much more knowledgeable on Avast than I am
I do not know of any way to bulk upload- perhaps DavidR does or could select which ones might be of interest- let’s see the logs

Infected cookies or tracking cookies? they just get in the way nuke as needed
Super should allow you to nuke the cookies- and please do not post a big log of deleted cookies

I do not recommend disabling system restore
true some of the malware scanners and AV scans find bad stuff there
and if so just ignore the hits
ditto when bad stuff is found in another malware fighting apps quarantine file or Avast Chest
some people get real excited- MALWARE FOUND
Chill
when we get clean we will want to do a clean up with CCleaner or similar, defrag and set a new restore point- at that point we can disable and re-enable
cheers

post up that HJT and any logs and I’ll stick around and look at them

Thanks for your detailed answer, Wyrmrider!
OK, the summary now (in 3 following posts)…
I ran a boot time scan again (a few hours ago now) - as already mentioned in one of my previous posts (and had chosen the option to automatically move to chest all malware files). But, like before, when the Windows was started, the strange warning stuck on my desktop (should I post/send a screenshot?) was still there - and immediately Avast detected:

  1. Adware: Win32:Adware-gen [Adw]
  2. Virus: VBS:Malware-gen
  3. Virus: Win32:Trojan-gen {Other}

I moved them all to chest, like the last time (to answer your question, Wyrmrider).

Here’s the Avast log from the last actions:

09/09/2008 22:41:16 Jowita 336 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nse3.tmp\euladlg.dll” file.
09/09/2008 22:49:39 Jowita 336 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Jowita\Local Settings\Temp.ttF.tmp.vbs” file.
09/09/2008 22:50:28 Jowita 336 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphc3v1j0el5v.scr” file.

I noticed that the name of this VBS Malware-gen changes (first it was ttD0.tmp.vbs, tt4.tmp.vbs, tt5.tmp.vbs, tt7.tmp.vbs, ttB.tmp.vbs and now ttF.tmp.vbs)…
This way or another, Avast hasn’t helped to get rid of this. :frowning:

Then, like Wyrmrider suggested, I downloaded, updated and run the Malwarebytes AntiMalware.
Here’s the log (I was shocked seeing that this trojan was found in so many files… and one .doc file??? I think I should have scanned also another partition and the external disc… ):

Malwarebytes’ Anti-Malware 1.27
Database version: 1133
Windows 5.1.2600 Service Pack 2

10/09/2008 00:58:23
mbam-log-2008-09-10 (00-58-13).txt

Scan type: Full Scan (C:|)
Objects scanned: 115266
Time elapsed: 1 hour(s), 33 minute(s), 40 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
C:\WINDOWS\system32\lphc3v1j0el5v.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3v1j0el5v (Trojan.FakeAlert) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc7v1j0el5v (Trojan.FakeAlert) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp (Rogue.Installer) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe (Rogue.Installer) → No action taken.
C:\WINDOWS\system32\casino1.ico (Malware.Trace) → No action taken.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) → No action taken.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) → No action taken.
C:\WINDOWS\system32\tdsspopup.dll (Malware.Trace) → No action taken.
C:\WINDOWS\system32\tdsspopup1.url (Malware.Trace) → No action taken.
C:\WINDOWS\system32\tdsspopup2.url (Malware.Trace) → No action taken.
C:\WINDOWS\system32\tdsspopup3.url (Malware.Trace) → No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\lphc3v1j0el5v.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\phc3v1j0el5v.bmp (Trojan.FakeAlert) → No action taken.
C:\Documents and Settings\Jowita\Desktop\Jowita Kaminska - Peruzzi.doc (Trojan.Extension.Exploit) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt15.tmp (Trojan.Agent) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt4.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt5.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt6.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt7.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt8.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt9.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttA.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttB.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttC.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → No action taken.

And the log from SuperAntiSpyware - minus the deleted cookies (this time I didn’t forget to quarantine the files!):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/10/2008 at 03:41 AM

Application Version : 4.21.1004

Core Rules Database Version : 3560
Trace Rules Database Version: 1549

Scan type : Complete Scan
Total Scan Time : 02:24:53

Memory items scanned : 479
Memory threats detected : 2
Registry items scanned : 3951
Registry threats detected : 5
File items scanned : 19460
File threats detected : 70

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHC3V1J0EL5V.EXE
C:\WINDOWS\SYSTEM32\LPHC3V1J0EL5V.EXE
[lphc3v1j0el5v] C:\WINDOWS\SYSTEM32\LPHC3V1J0EL5V.EXE

Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-0EB47E31.pf

Adware.Tracking Cookie
C:\Documents and Settings\Jowita\Cookies\jowita@ice.112.2o7[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@mediaplex[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@doubleclick[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@apmebf[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@4stats[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@ads.pointroll[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@mediaservices.myspace[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@ad.yieldmanager[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@revsci[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@statcounter[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@bluestreak[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@richmedia.yahoo[2].txt
mediaservices.myspace.com [ C:\Documents and Settings\Jowita\Application Data\Mozilla\Firefox\Profiles\3apxqufa.default\cookies.txt ]
eas.apm.emediate.eu [ C:\Documents and Settings\Jowita\Application

(… many cookies from Firefox here…)

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1229272821-1454471165-725345543-1004\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1229272821-1454471165-725345543-1004\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1229272821-1454471165-725345543-1004\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Rogue.AntiVirus 2008
C:\WINDOWS\SYSTEM32\PHC3V1J0EL5V.BMP

Now I see that the evil cookies are from Firefox, not from IE!
I had to reboot then (and deleted them from Firefox too).
Then this “Antivirus XP 2008 license agreement” window appeared…
I wanted to terminate it with the Task Manager (Ctrl Alt Del), but it didn’t quite work… Finally after clicking again on “End now”, it disappeared, but the Avast detected another malware!

[font=Verdana]10/09/2008 04:42:47 SYSTEM 1700 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsv3.tmp\euladlg.dll” file. [/font]

Finally the Hijackthis log (part 1):

Logfile of HijackThis v1.99.1
Scan saved at 04:54:06, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\WinShrink\AutoJob.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f324.mail.yahoo.com/ym/ShowFolder?rb=Inbox&reset=1&YY=75361&y5beta=yes&y5beta=yes&inc=25&order=down&sort=date&pos=-1&view=a&head=b&box=%40B%40Bulk&YN=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM..\Run: [OpwareSE2] “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”
O4 - HKLM..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [WinShrink] C:\Program Files\WinShrink\AutoJob.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM..\Run: [inrhc7v1j0el5v] C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe /CR=E378D6B80573F693830D714814CC3DF879014EACA4D2E8B35AF5A165F918A5C046925CE4A0B1C6C440E04BEAE850806298C869E27952D0D2485F83E16760C56FAF5EF1FF71258C82CEECBF5069391FCA20
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

Hijackthis log - continued:

O18 - Protocol: bw+0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Hijackthis log - the last part:

O18 - Protocol: bwh0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Sorry about the extremely long Hijackthis log, but I didn’t know what to delete from it, so I preferred to split it into 3 parts.
OK, it’s time to go to sleep now - I’ll check the forum tomorrow.
Big thanks for the help!