Hi, my PC was recently infected with the insidious vundo trojan. I can't get rid of it, I have tried about 5 different spyware and virus removers, to no avail. I have tried to take pointers from previous posts, but have found that most of the time nothing is substitute for expert help. I have run HiJackthis, but I am not sure what to do now. Anyone who can help, it would be greatly appreciated.

Thanks,

Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post the log located at C:Vundofix.txt.

Run Vundofix again

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Post a new Hijack This log, older log you have is useless.

Jabuck,

The VundoFix program is not finding the Vundo on my computer. But I know it is still on here, because I still have pop ups for IE, when I only use Mozilla. And, Avast, and Windows Defender are still finding it at random times. What do I do now. I ran VundoFix 3 times.

Post the requested Combofix log and the Hijack This log please.

Here is the ComboFix log:

ComboFix 07-08-30.3 - "Shane" 2007-09-07 11:03:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\gxynljuw.exe
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\phbtdgom.exe
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\tideaons.exe
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.tmp

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 10:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 08:00 <DIR> d-------- C:\VundoFix Backups
2007-09-04 08:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 05:49 6,448 --ahs---- C:\WINDOWS\system32\cbadd.bak2
2007-09-03 04:43 6,448 --ahs---- C:\WINDOWS\system32\accdd.bak1
2007-09-03 01:42 6,448 --ahs---- C:\WINDOWS\system32\prutv.bak1
2007-09-02 19:44 6,448 --ahs---- C:\WINDOWS\system32\rqtss.bak1
2007-09-02 17:17 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-02 05:33 6,448 --ahs---- C:\WINDOWS\system32\gjkmp.bak1
2007-09-02 04:32 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-09-02 04:32 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-09-02 04:31 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-09-02 04:31 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-09-02 04:30 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2007-09-02 04:30 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-09-02 04:30 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2007-09-02 04:30 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-09-02 04:29 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-09-02 04:29 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-02 04:29 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-09-02 04:29 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-09-02 04:28 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-09-02 04:28 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-02 04:26 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-02 04:26 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-02 04:26 372,736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-09-02 04:26 22,016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-09-02 04:26 211,712 -ra------ C:\WINDOWS\system32\drivers\LV561AV.SYS
2007-09-02 04:26 204,800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-09-02 04:26 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-09-02 04:26 106,496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-09-02 04:26 1,206,272 -ra------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-09-02 04:20 81,920 -r------- C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-09-02 04:16 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2007-09-02 04:16 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\FotoWire
2007-09-02 04:10 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-09-02 04:09 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-09-02 04:07 <DIR> d-------- C:\Program Files\Logitech
2007-09-02 03:32 6,448 --ahs---- C:\WINDOWS\system32\cccdd.bak1
2007-09-01 21:39 6,448 --ahs---- C:\WINDOWS\system32\kjkmp.bak1
2007-09-01 12:31 1,912,335 --ahs---- C:\WINDOWS\system32\klnmp.bak2
2007-08-31 18:05 6,448 --ahs---- C:\WINDOWS\system32\klnmp.bak1
2007-08-31 05:29 6,448 --ahs---- C:\WINDOWS\system32\pqtss.bak1
2007-08-31 04:13 6,448 --ahs---- C:\WINDOWS\system32\llnmp.bak1
2007-08-30 20:00 6,448 --ahs---- C:\WINDOWS\system32\tvvwa.bak1
2007-08-30 18:39 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-08-30 18:37 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-08-30 18:31 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Spyware Terminator
2007-08-30 18:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-08-30 18:30 6,448 --ahs---- C:\WINDOWS\system32\rtutv.bak1
2007-08-30 18:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-08-30 15:12 6,448 --ahs---- C:\WINDOWS\system32\nqtwa.bak1
2007-08-30 15:10 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Sonic
2007-08-30 04:59 6,448 --ahs---- C:\WINDOWS\system32\qqstv.bak1
2007-08-30 03:16 6,448 --ahs---- C:\WINDOWS\system32\ddeeg.bak1
2007-08-30 02:05 6,448 --ahs---- C:\WINDOWS\system32\cbadd.bak1
2007-08-29 12:32 6,448 --ahs---- C:\WINDOWS\system32\uvvwa.bak1
2007-08-29 11:23 6,448 --ahs---- C:\WINDOWS\system32\jmllm.bak1
2007-08-28 17:23 6,448 --ahs---- C:\WINDOWS\system32\nmllm.bak1
2007-08-28 08:57 6,448 --ahs---- C:\WINDOWS\system32\vvvwa.bak1
2007-08-25 17:46 <DIR> d-------- C:\Program Files\mIRC
2007-08-25 17:46 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\mIRC
2007-08-17 15:56 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-13 18:04 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Viewpoint
2007-08-12 22:38 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\DivX
2007-08-12 22:32 <DIR> d-------- C:\Program Files\DivX
2007-08-12 21:50 <DIR> d-------- C:\Program Files\Shareaza
2007-08-12 21:50 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Shareaza
2007-08-08 21:17 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\acccore
2007-08-08 21:15 <DIR> d-------- C:\Program Files\AOD
2007-08-08 21:14 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-08-08 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-08 13:04 1,290 --a------ C:\WINDOWS\mozver.dat
2007-08-07 21:56 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Apple Computer
2007-08-07 21:54 <DIR> d-------- C:\Program Files\iTunes
2007-08-07 21:54 <DIR> d-------- C:\Program Files\iPod
2007-08-07 21:51 <DIR> d-------- C:\Program Files\QuickTime
2007-08-07 21:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-07 21:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-07 21:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-07 21:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-07 21:41 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-07 21:39 <DIR> d-------- C:\Program Files\iDump
2007-08-07 13:09 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-08-07 13:09 <DIR> d-------- C:\DOCUME~1\Shane\APPLIC~1\Thunderbird
2007-08-07 12:10 <DIR> d-------- C:\DOCUME~1\Shane\Contacts
2007-08-07 12:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-07 12:09 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-07 12:00 <DIR> d-------- C:\Program Files\MSXML 6.0

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-02 0rogram Files\InstallShield Installation Information
2007-08-13 1OCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-08 2rogram Files\Common Files\AOL
2007-08-08 2OCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-06 1rogram Files\MSBuild
2007-08-06 1rogram Files\Reference Assemblies
2007-08-06 1rogram Files\Windows Media Connect 2
2007-08-06 1rogram Files\Pure Networks
2007-08-06 1rogram Files\Motive
2007-08-06 1rogram Files\Common Files\Motive
2007-08-06 1rogram Files\Common Files\Verizon Online
2007-08-06 1OCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-08-06 1rogram Files\Symantec
2007-08-06 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-06 1rogram Files\Quicken
2007-08-06 1OCUME~1\Shane\APPLIC~1\AOL
2007-08-06 1rogram Files\Windows Defender
2007-08-06 1rogram Files\Alwil Software
2007-08-06 1rogram Files\VZBB Toolbar
2007-08-06 1rogram Files\Napster
2007-08-06 1OCUME~1\ALLUSE~1\APPLIC~1\Napster
2007-08-06 1rogram Files\Sonic
2007-08-06 1rogram Files\Verizon Online
2007-08-03 0rogram Files\ArcSoft
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 18:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 18:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 18:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 18:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 17:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 17:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 17:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8208698-F35F-4734-9C97-FB9A5DD8E13C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 08:00]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 21:14]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 23:17]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 00:10]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 18:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [2004-05-14 13:29]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47]
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 19:37]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 15:04]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 04:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"HostManager"="C:\Program Files\Common Files\AOL\1186622076\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-31 04:18]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-10-08 12:31]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-10-08 12:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 13:10]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-09-02 04:20]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddcyx

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPECioctl;SrvcEPECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
S3 DetectAC2000;DetectAC2000;\??\C:\WINDOWS\system32\FinePointLib\DetectAC2000.sys

Contents of the 'Scheduled Tasks' folder
2007-09-03 11:24:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-07 15:21:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-07 11:18:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-07 11:23:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-07 11:23

--- E O F ---

...And here is the HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:20 AM, on 9/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1186622076\ee\AOLSoftware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\program files\common files\aol\1186622076\ee\aim6.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Shane\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186622076\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Verizon Online DSL.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14FE144A-1869-4B8E-91D3-3104F5B6F058}: NameServer = 71.242.0.12 71.252.0.12
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

--
End of file - 10143 bytes

Thanks

Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn your anti-spyware programs back on once the computer is clean.

Please download “Avenger” by swandog46 to your desktop from this link Avenger
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Navigate to and delete this folder:

C:\VundoFix Backups

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Restart the computer, post the AVG log a, a Hijack this log and a new Combofix log please.