Spyware removal help!

Unknown

For the past week I've had a string of bad luck. Got rid of them, but they keep coming back. Please help!

Logfile of HijackThis v1.99.1

Scan saved at 3:57:32 PM, on 4/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HiJackThis_v2.exe

C:\WINDOWS\system32\NOTEPAD.EXE

F:\HijackThis.exe



O2 - BHO: (no name) - {10AEBEF4-5D09-4044-8397-6DC3A5F125B0} - (no file)

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)

O4 - HKLM\..\Run: [SoundMAXPnP] -"C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [SoundMAX] -"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [igfxtray] -C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] -C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] -C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AVG7_CC] -C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [VirtualCloneDrive] -"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [CloneCDTray] -"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [AnyDVD] -C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175031321140

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O20 - Winlogon Notify: xxyxvut - xxyxvut.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)

O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)

O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - -C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)

O23 - Service: StyleXPService - Unknown owner - -"C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Veka

Hi Lt 'Cois and welcome to Short-Media! I'll check your log, please be patient.

Veka

Please rename HijackThis.exe to Scanner.exe.

Download VundoFix and and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will now receive a prompt asking if you want to remove the files, click the Yesbutton.
• Your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click the OK button.
• When the computer has shutdown, turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post fresh HijackThis log and contents of VundoFix log ( C:\vundofix.txt ).

Lt 'Cois

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 12:16:36 PM 4/3/2007

Listing files found while scanning....

No infected files were found.

---

Logfile of HijackThis v1.99.1
Scan saved at 12:35:18 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\HiJackThis\Scanner.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {10AEBEF4-5D09-4044-8397-6DC3A5F125B0} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] -"C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] -"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [igfxtray] -C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] -C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] -C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] -"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AnyDVD] -C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175031321140
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: xxyxvut - xxyxvut.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - -C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)

Veka

PRINT OUT THESE INSTRUCTIONS OR SAVE THEM WITH NOTEPAD

Download AVG Anti-Spyware to your desktop

Run Hijackthis and click Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {10AEBEF4-5D09-4044-8397-6DC3A5F125B0} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
O20 - Winlogon Notify: xxyxvut - xxyxvut.dll (file missing)

If you like, fix these unneeded startup entries:

O4 - HKLM\..\Run: [SoundMAX] -"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [igfxtray] -C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] -C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] -"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AnyDVD] -C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

Click Fix Checked.

~~~~~~~~~~~~~~~~~~

• Install and start AVG Anti-Spyware
• Click the Update icon
• Click Start update
• Wait until updates are downloaded
• Click the Scanner icon
• Open the Settings tab
  • Make sure that under "How to act?" read Quarantine
    (If not, click the text and choose Quarantine)
  • Under "How to scan?" all checkboxes should be ticked
  • Under "Reports" select Automatically generate report after every scan
    and uncheck Only if threats were found
  • Under "What to scan?" select Scan every file
• Click the Shield icon
• Under the "Resident shield is" click active to make it inactive
• Close AVG Anti-Spyware

Reboot in safe mode

• If the computer is running, shut down Windows, and then turn off the power
• Wait 30 seconds, and then turn the computer on
• Start tapping the F8 key
• The Windows Advanced Options Menu appears
• Ensure that the Safe Mode option is selected
• Press Enter. The computer then begins to start in Safe mode
• Login on your usual account

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Complete System Scan
• Let the program scan the machine
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine
    (If not, click the text and choose Quarantine)
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop

~~~~~~~~~~~~~~~~~~

Post fresh HijackThis log and the AVG Anti-Spyware's report.

Lt 'Cois

I didn't manage to get a log of AVG, but there results were good: no infected results.
--
Logfile of HijackThis v1.99.1
Scan saved at 8:44:58 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\HiJackThis\Scanner.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] -"C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] -"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [igfxtray] -C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] -C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] -C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] -"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] -C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175031321140
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Unknown owner - -C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Veka

Congratulation, your HJT log is clean.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 .
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
  • J2SE Runtime Environment 5.0 Update 11
    
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

~~~~~~~~~~~~~~

I don't see a firewall running [SIZE=-1]on your computer. [/SIZE]Please download one of the following - they are Free!.

Comodo
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall

Install and reboot.

~~~~~~~~~~~~~~

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster<= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs

• More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Lt 'Cois

Thanks for your help!