I am usually really proficient and very protected from the little critters we call malware. But I some how caught outerinfo and virtumonde along with a host of their friends. AVG alerted me to them and with general directions from the many sources I have I managed to remove them as far as my kaspersky scans were concerned. I even downloaded the trial kaspersy offers and ran it for a week. (it's a pain in the neck).
Went back to my regular arsenal. Paid version of spyware blaster AVG Sybot S&D adaware, etc. and since the only place that anything was found I did clean my restore points as my usual practice. Even ran the paid version of Registry first aid. and made clean restore point and reistry back up.

But I am now notified by my browser hijack blaster that an attempt to change my home page and default search engine to none is being attempted on a regular basis.

Followed the instructions on the before you post page
Spybot is clean in safe mode
AVG reports clean and it runs everyday
here is my kaspersky log and hijack this log

Hope you guys can help. I know this is not as serious as a virus but who know what it can attempt after this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:07 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\oldSay the Time\SayTime.exe
C:\Program Files\oldSay the Time\SayTime.exe
C:\Program Files\oldSay the Time\SayTimeMain.exe
C:\Program Files\oldSay the Time\SayTimeMain.exe
C:\Program Files\oldSay the Time\stttsm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Chami\HTML-Kit\Data\Template\Default\blank.htm
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Browser Hijack Blaster (no splash).lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe

--
End of file - 7607 bytes


*KASPERSKY ONLINE SCANNER REPORT*
Wednesday, March 19, 2008 11:11:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2
(Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/03/2008
Kaspersky Anti-Virus database records: 577882

*Scan Settings*
Scan using the following antivirus database standard
Scan Archives false
Scan Mail Bases true
*Scan Target* My Computer
C:\
D:\
E:\
F:\
*Scan Statistics*
Total number of scanned objects 309481
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 01:46:54


*Infected Object Name* *Virus Name* *Last Action*
C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows
Defender\Support\MPLog-05302007-090917.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\Tiggerr\Cookies\index.dat Object is locked
skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Microsoft\Windows
Defender\FileTracker\{87F57FB9-77D7-41B0-9B82-5EEFC685D868} Object is
locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Microsoft\Windows
Defender\FileTracker\{E710DD8D-D467-4F14-9189-67AC6587DCCF} Object is
locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Pando\Pando Files\cert\cert8.db Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Pando\Pando Files\cert\key3.db Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Application
Data\Pando\Pando Files\pando.log Object is locked skipped
C:\Documents and Settings\Tiggerr\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Temp\~DF5FBE.tmp
Object is locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Temporary Internet
Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is
locked skipped
C:\Documents and Settings\Tiggerr\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tiggerr\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tiggerr\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\System Volume
Information\_restore{CE76570C-A280-44B7-AA0A-0CD25A958ACB}\RP538\change.log
Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
F:\System Volume
Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043661.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped
F:\System Volume
Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043859.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped
F:\System Volume
Information\_restore{CE76570C-A280-44B7-AA0A-0CD25A958ACB}\RP529\A0057234.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped
F:\System Volume
Information\_restore{CE76570C-A280-44B7-AA0A-0CD25A958ACB}\RP538\change.log
Object is locked skipped
*Scan process completed.*


Sorry the kaspersky log didn't wrap right. I had word wrap off. I'll run another if you want but wanted to get the info to you ASAP. Off to use my Mac until this gets fixed/

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Not seeing a lot in these logs, you are right about word wrap, I can not scan the KOS but it looks like these are the three items:
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043661.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043859.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped
F:\System Volume Information\_restore{CE76570C-A280-44B7-AA0A-0CD25A958ACB}\RP529\A0057234.exe
Infected: Trojan-PSW.Win32.LdPinch.rko skipped

I have this information:
http://www.wilderssecurity.com/bhblaster.html

I use both SpywareBlaster and SpywareGuard. I would uninsall Browser Hijack Blaster and install SpywareGuard from here: http://www.javacoolsoftware.com/spywareguard.html

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ <<< do you own this program?

Here is what I would like to do to be sure.

1) Turn off Windows Defender and AVG Anti-Spyware.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Chami\HTML-Kit\Data\Template\Default\blank.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and activate Windows Defender, update and run a complete system scan. Let me know the results.

AVG Anti-Spyware 7.5 <<< activate this program and run a system scan, post the results. If you do not own this program (trial) keep in mind it uses a load of resources and gives no realtime benefits once the trial is over. My suggestion would be to uninstall (or at least turn it totally off) and use WD.

Browser Hijack Blaster <<< this program is so old I would really not trust it, SG can be set to block quietly. Here is a tutorial:
http://www.bleepingcomputer.com/forums/tutorial50.html

Thanks

Hi sorry to take so long Had to do the easter bunny thing.

No I don't own AVG Anti Spyware. Just downloaded the trial during all this nonsense. I have 24 days left.

I Let windows defender run last night and couldn't find a way to run a log but it found some adware so I am typing in the results and pasting where it looks like it was found
The F drive you see is my external drive and no programs are installed to it. It's just our shared family drive attached to my pc

Adware:Win32/ClariaGain.Trickler Alert level Medium

Category:
Adware

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043356.exe->(wise0016)

file:
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043355.exe->(wise0016)

containerfile:
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043356.exe

containerfile:
F:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP313\A0043355.exe

Program:Win32/PowerReg Scheduler

Category:
Potentially Unwanted Software

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\WINDOWS\pss\PowerReg Scheduler.exeStartup



Adware:Win32 WhenUSaveNow

Category:
Adware

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
F:\from pppcchip\pc\halloweenhaunt.exe->(wise0023)->(wise0005)

containerfile:
F:\from pppcchip\pc\halloweenhaunt.exe



Tool:Win32/Cmdow

Category:
Tool

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
F:\Downloads\TinyXP_Rev05.rar->TinyXP_Rev05.iso->OEM\bin\cmdow.exe

containerfile:
F:\Downloads\TinyXP_Rev05.rar


Should I fix what Windows defender found before running the avg spyware program? Makes sense to, but I am not going to do a thing before you all tell me to. I am at your mercy.

A very humble, Tiggerr

Thanks for the feedback, those F:\ System Restore files are infected and I did not need to see that information. Those files need to be purged, as it is, if that System Restore point is ever used, the malware will be returned to the computer.

Windows Defender, have it it remove anything it finds. The same with AVG Anti-Spyware.

Thanks

Oh and I also want to thank you for telling me about Spyware guard. It's great.

Right after I installed it, I got a window informing me it was changing my home page and search engine from none back to my chosen preferences. Isn't that cool

Avg Anti spyware found something called Backdoor.ace and quarantined it and I deleted the zipped files that it was originally in. These files have been here for a long time. I can't understand why they weren't found before. In fact all of the files that were found either by your help or by my own efforts were in files that had been on my computer for at least a year.

Could it be that the trojans I removed (virtumonde, Rabio and the outerinfo ones, infected random files on my machine. Most of them were either zipped or rar files too.

Can you shed some light for me so I can understand and defend against them.

Now what do we do

The guys that create the tools to remove the junk are the ones who understand how the junk works, not me. I came into this after you removed a load of stuff, so I never really ever had a clear picture of the initial infection...see this:
http://forums.spybot.info/showthread.php?t=288

Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and don't run fixes until asked. ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision. This is especially important if your Operating System is Windows Vista!!It's kind of like walking into a movie after it has been on for and hour or so.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

I hope we got it all

As I said at the star I usually don't have to bother you guys. I see how busy you are and, I have been doing this for such a long time, I though I had it licked. But this time, I was really stumped. I am sorry, I made it worse for you . I can understand your position.

I was just so befuddled. I had rarely found any more than the usual tracking cookies on my own machine, But the rest of the ones brought to me, were usually not as persistant as these.

I have admired you all for a long time, and read many of the spyware fighting forums just for the information they provide. The rogue spyware removers and the story behind the cw shredder program are fascinating.

One last question.

The ATF cleaner. If that just for emergencies or can it be added to my arsenal of tools. It sure cleans better than anything I have used in the passed.

Thank you again so much for all your help.

ATF-Cleaner is a great tool, you may want to read this tutorial:
http://www.nutnworks.com/forums/showthread.php?t=1925

I am selective in how I use it, like I clean Prefetch only when it needs it:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Here is a fairly new malware removal tool, give it a run for a double check when time permits.

Safe Surfing...Phil:)

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Thanks phil You are a life saver. My kids have been forbidden from using my machine, and I no longer looking for games for my web site.

If (heaven forbid) I get infected again, I'll come straight here and let you guys look first if spybot or windows defender or this new one fail me. I should have know I was in for trouble with the amount of pleas for help with this virtumonde one.

Someone asked me once why these guys make viruses and malware, and All I could say was "because they can"

Thanks Loads and I hope I never see you again ;)