So I recently found myself buried under what appears to be a good deal of viruses and/or trojans. I immediately started scanning, of course. Ran a quick scan, only got one thing, then decided it would be best to do a thorough scan. Well, I’ve made it up to 29000 files scanned and found 6 things, but I’m worried now… It says that the current scanner status is infected and it’s scanning slower than 1 file per second… Does this mean my scanner itself is infected? And if so, what should I do about that and whatever else may be on my computer? Someone please help quickly!

Edit: Okay, so it picked up QUITE a bit of speed, it’s going much faster now. Thing is though, I still get these fake system messages that tell me to install programs that I’m 100% sure are fake programs used to propagate the trojan/viruses, and my scan is nearly done… I’m worried that the scan itself may not be removing the problem… Any suggestions on what to do in this case?

Welcome to the forum.

Can you give an example of what files are being detected? What is the full path and what is it being detected as?

What are the names of the programs you are being asked to install? You probably are right in them being bogus.

The slow down may have been due to a compressed archive.

Your os and other security programs would also be helpful. Move anything found to the chest.

No. Just the status of the scanning: an infected file was detected.

Hey… we’re here quickly 8)

Which ones? Do you use RogueRemover (www.malwarebytes.com) to see what’s wrong?

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.a

Kay, so I ran it over night. Two files were found to be infected and moved to the chest: a file in my temp folder and what appears to be my temp folder itself. Within these two files were 4 instances of the trojan Win32:Winfixer-F(trj) and 2 instances of the virus PS/MPC-gen5. These files have been moved to my chest, but I’m still being spammed with fake system warnings telling me to download things like WinSpyControl (asks you to purchase the product, but I’m not stupid, I’m not putting a dime into anything via computer right now) or other weird things of the like. So either moving them to the chest didn’t delete the files (I’m new to using avast! so I have no clue how it actually works, haha), or there are more files that I need to get rid of and avast! can’t get them for me (I ran a thorough scan of all files, including archived). I guess when I get home from school and work I’ll try one of the above-mentioned sites and see what I can do about it. I appreciate this and any future help!

Edit: Forgot to mention, I’m just running XP Home Edition

Follow the other general cleaning procedures, specially steps 4, 5 and 6.

Reinfection was not due only to files, but there are a lot of ways to do so.

Do #4 in Tech’s post with at least the first 2 programs. That will at least clean up some of the garbage somewhat. You can post the results minus the tracking cookies.

For hijackthis follow the following. When posting that log you will probably have to split it into a couple of post.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Thanks for all the advice. Right now I’m running the CleanUp program back home to clean up my temp folder, since that’s where the problem originated, so when I get home I’m going to check to see how that’s working out. If I still have the problem, I’ll download HJTsetup.exe and make a log file as I was told. In all honesty, this is the first virus I’ve ever had to deal with, since I’m usually a fanatic about keeping my computer up and running efficiently, so I’m really new to all this and appreciate all the help, haha ;D

You’re welcome. Take things one step at a time, keep track of what you do, and have a little patience.

Haha, patience doesn’t sit well with me, I get out of school in an hour and then have to work for 3 and a half more hours, then a one hour drive home to see if everything went well, hahaha. But yeah, I’m hoping that everything I’ve done so far will be enough and I’m hoping even more that I’m not going to be flooded by spam when I get back (I ran my virus scan over night last night and came back in the morning to about… 30+ fake system messages, as well as some less-than-appropriate ads), haha

EDIT: SO I did as advised and got a HijackThis log. I can’t make ANY sense of it, but I guess that’s what I have you guys for, haha! So yeah, here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:48 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\WinSpyControl\Tools\pg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {CFE15135-C591-4000-A55E-A50E5F9F82BC} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\WinSpyControl\Tools\IEFWBHO.dll
O3 - Toolbar: IE Custom Tools - {23ED2206-856D-461A-BBCF-1C2466AC5AE3} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start
O4 - HKLM..\Run: [Salestart] “C:\Program Files\Common Files\WinSpyControl\bm.exe” dm=http://winspycontrol.com; ad=http://winspycontrol.com
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\Bit Torrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98
O22 - SharedTaskScheduler: benzaldoxime - {a6d478c6-7961-4fe9-be4b-e621dd640112} - C:\WINDOWS\system32\nczupfw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 8385 bytes

I’m really sorry for the double-post (don’t know what the rules are on it), but I forgot to mention in the above edit that there still is something on my computer after having cleared out my temp folder. I still have a “security warning” in the bottom right that tries to get me to buy “virus protection”, something along the lines of a product called AntiVirGear. Pretty sure it’s a bogus ad trying to get me to give out personal info. So yeah, someone look at my log file above and help me out more? Haha

Did you download and update super antispyware?

If not do so now. If you did then procede.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quaranine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked.

Post that log, Start superantispyware, the log will be under Preferences, Statistics/Logs tab in the scanner logs.

edit and another hjt log.

VICTORY!!! Here’s the log, I think it’s finally gone now!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2007 at 10:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3327
Trace Rules Database Version: 1328

Scan type : Complete Scan
Total Scan Time : 00:52:49

Memory items scanned : 568
Memory threats detected : 2
Registry items scanned : 5514
Registry threats detected : 96
File items scanned : 33670
File threats detected : 27

Trojan.Smitfraud Variant
C:\WINDOWS\SYSTEM32\NCZUPFW.DLL
C:\WINDOWS\SYSTEM32\NCZUPFW.DLL
HKLM\Software\Classes\CLSID{a6d478c6-7961-4fe9-be4b-e621dd640112}
HKCR\CLSID{A6D478C6-7961-4FE9-BE4B-E621DD640112}
HKCR\CLSID{A6D478C6-7961-4FE9-BE4B-E621DD640112}\InProcServer32
HKCR\CLSID{A6D478C6-7961-4FE9-BE4B-E621DD640112}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{a6d478c6-7961-4fe9-be4b-e621dd640112}

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\PROGRA~1\COMMON~1\WINSPY~1\UGCW.EXE
C:\PROGRA~1\COMMON~1\WINSPY~1\UGCW.EXE
HKLM\Software\Classes\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}#AppID
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\InprocServer32
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\InprocServer32#ThreadingModel
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\ProgID
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\Programmable
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\TypeLib
HKCR\CLSID{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\VersionIndependentProgID
C:\PROGRAM FILES\WINSPYCONTROL\TOOLS\PG.DLL
HKLM\Software\Classes\CLSID{FAAD2038-C371-473d-86F1-5B11D39C3775}
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}#AppID
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\InprocServer32
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\InprocServer32#ThreadingModel
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\ProgID
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\Programmable
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\TypeLib
HKCR\CLSID{FAAD2038-C371-473D-86F1-5B11D39C3775}\VersionIndependentProgID
C:\PROGRAM FILES\WINSPYCONTROL\TOOLS\IEFWBHO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{FAAD2038-C371-473D-86F1-5B11D39C3775}
HKLM\System\ControlSet001\Services\fmtr
C:\WINDOWS\SYSTEM32\DRIVERS\FMTR.SYS
HKLM\System\CurrentControlSet\Services\fmtr
HKCR\AVIEBHO.IEFW
HKCR\AVIEBHO.IEFW\CLSID
HKCR\AVIEBHO.IEFW\CurVer
HKCR\AVIEBHO.IEFW.2
HKCR\AVIEBHO.IEFW.2\CLSID
HKCR\GPBlocker.IEPBlocker
HKCR\GPBlocker.IEPBlocker\CLSID
HKCR\GPBlocker.IEPBlocker\CurVer
HKCR\GPBlocker.IEPBlocker.1
HKCR\GPBlocker.IEPBlocker.1\CLSID
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\0
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\0\win32
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\FLAGS
HKCR\TypeLib{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\HELPDIR
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}\1.0
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\0
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\0\win32
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\FLAGS
HKCR\TypeLib{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\HELPDIR
HKCR\AppId{314F88D6-80CE-408a-9E8F-B2389B81E8B8}
HKLM\Software\uga6pcw
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Setup Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: App Path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Icon Group
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: User
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Selected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Deselected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#QuietUninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#InstallPath
C:\DOCUMENTS AND SETTINGS\SION\APPLICATION DATA\INSTALL_EN[1].EXE
C:\PROGRAM FILES\COMMON FILES\WINSPYCONTROL\UGCW.EXE
C:\PROGRAM FILES\WINSPYCONTROL\FMTR.SYS
C:\PROGRAM FILES\WINSPYCONTROL\FOPNL.DLL
C:\PROGRAM FILES\WINSPYCONTROL\RESTART.EXE
C:\PROGRAM FILES\WINSPYCONTROL\RTASKS.EXE
C:\WINDOWS\Prefetch\UGCW.EXE-242A0E56.pf

Trojan.Media-Codec/V4
HKLM\Software\Classes\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\Implemented Categories
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\Implemented Categories{00021493-0000-0000-C000-000000000046}
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\InprocServer32
HKCR\CLSID{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ADD-ON\ICTMDL.DLL
HKLM\Software\Classes\CLSID{CFE15135-C591-4000-A55E-A50E5F9F82BC}
HKCR\CLSID{CFE15135-C591-4000-A55E-A50E5F9F82BC}
HKCR\CLSID{CFE15135-C591-4000-A55E-A50E5F9F82BC}#xxx
HKCR\CLSID{CFE15135-C591-4000-A55E-A50E5F9F82BC}\InprocServer32
HKCR\CLSID{CFE15135-C591-4000-A55E-A50E5F9F82BC}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ADD-ON\ISFMDL.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{CFE15135-C591-4000-A55E-A50E5F9F82BC}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
HKU\S-1-5-21-3056869707-3982748799-3199561885-1006\Software\Online Add-on
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#UninstallString
C:\PROGRAM FILES\VIDEO ADD-ON\ICMNTR.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ICTHIS.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ICTUN.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ICUN.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ISFMM.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ISFMNTR.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ISFUN.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\UNINST.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Sion\Cookies\sion@atdmt[1].txt
C:\Documents and Settings\Sion\Cookies\sion@www.antivirgear[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.Media-Codec
HKCR\VideoAXObject.Chl
HKCR\VideoAXObject.Chl\CLSID

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\SION\FAVORITES\ONLINE SECURITY TEST.URL

Sorry for a second double post, but both logs didn’t fit in one message, so here’ the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:03 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start
O4 - HKLM..\Run: [Salestart] “C:\Program Files\Common Files\WinSpyControl\bm.exe” dm=http://winspycontrol.com; ad=http://winspycontrol.com
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\Bit Torrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 7990 bytes

Hi InazumaRaijin :

  The Hijackthis Log shows you have the troublesome "Viewpoint" program;
   it would be wise to go to the "Add or Remove Programs" section of your
  computer and "uninstall" or "remove" the "Viewpoint" program .

Well. I think some of it’s gone. SAS did catch a lot of the executables, but some of it still shows up in your last hjt log.

C:\Program Files\Common Files\WinSpyControl\bm.exe

along with some registry entries.

O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start
O4 - HKLM..\Run: [Salestart] “C:\Program Files\Common Files\WinSpyControl\bm.exe” dm=http://winspycontrol.com; ad=http://winspycontrol.com

I suspect the popup is gone now? Was that the complete SAS log? It seems that a couple of entries at the end are missing.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

I always did suspect that WinSpy Control thing, knew it had something to do with this… Anyway, something is bugging me right now. When I ran ComboFix, and also when I first ran SAS I think, my avast! caught a trojan… The one it caught when I ran ComboFix was Win32:Dadobra-EY [trj]… I’m worried about that… anyway, here’s the HJT log and the ComboFix log is attached, since together they are too many characters for one reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:22 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\Bit Torrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 7653 bytes

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

It may have cone from scans being carried out by either scanner and avast detected something that it unpacked, but the file name and location could help us determine that.

Re the HJT Log, you still have some of the winspy stuff.

C:\Program Files\Common Files\WinSpyControl\bm.exe
O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start

Are these files still there also or is it just registry remnants in which case you need to fix it.

There is also lots of Viewpoint stuff there I think someone mentioned this was suspect, try a forum search for Viewpoint and see what it brings.

Also fix.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Is this your ISP - The IP addresses (68.87.69.146,68.87.85.98) are for COMCAST.NET ?
O17 - HKLM\System\CCS\Services\Tcpip..{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98

Submit the following file to virustotal.com Copy and paste the following path into the box and click Send file. Post the results.

C:\WINDOWS\system32\msxml3a.dll

If it is infected, move it to the chest for later submission to avast.

In the Virus Chest, switch to user file category.
In main menu, select File ® Add.
Browse the folders and select the file you want to add.
Choose Open

In windows explorer delete the following folders

C:\Program Files\Common Files\WinSpyControl
C:\Program Files\WinSpyControl
C:\Program Files\Video Add-on

Empty the recycle bin.

In hijack this, click System Scan only put a check beside the following

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM..\Run: [ugcw] “C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe” -start
O4 - HKLM..\Run: [Salestart] “C:\Program Files\Common Files\WinSpyControl\bm.exe” dm=http://winspycontrol.com; ad=http://winspycontrol.com

The third 04 line wasn’t present in your last log, but I included it just in case it is there now.

Close all other windows, including your browser and click Fix checked. Close HJT.

Clean your temp files, use Cleanup as you did before.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point

Remove old restore points

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Post a new hjt log.

How are things now?

Really quickly, I’m in the midst of deleting the folders as you said oldman (that file you had me scan came back at 0% so I believe that means it’s clean), but it says I can’t delete C:/Program Files/Common Files/WinSpyControl because it’s in use (the other two were successfully deleted though). Had a feeling it’d do this to me, how can I delete it when it’s always in use, as viruses are?