Hijack please help

[Bulldog - Clive]

Hiya i got infected from crackspider.net sublink i got a SCRIPT window pop up then NETSH.EXE popped up about 5 times and loaded [censored] - then AVG went nutz with multiple virus's including

Klone
Spy Sheriff
Winstall.exe
z11.exe

I have used:

ewido security suite - Fully updated
AVG 7.1 - Fully updated
HijackThis 1.99.01
About:Buster 5.1
Spybot S+D 1.4
HOSTS (to replace hosts file)
SpywareBlaster
Adaware SE personal
cwshredder.exe
FxIstbar.exe

ALL say CLEAN but i keep noticing AVG's email checker popping up saying scanning outgoing email then a broadband hostmask (which is not my own) this is when outlook isn't even open.
also since i had the blue background with the warning saying your computer is infected with spyware i have had problems with my display.cpl i have managed to gain control over my background but when i load the .cpl all i get is the THEMES tab - i have to load a theme before i see the background, screensaver, settings etc
last time i had one of these s.o.b's i had to format hoping i dont have to this time ;/

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 14:53:50, on 17/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avg\avgamsvr.exe
C:\PROGRA~1\avg\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\avg\avgcc.exe
C:\PROGRA~1\avg\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\software\-- VIRUS + ADWARE + TROJAN SCANNERS\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = That net thingy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\avg\avgemc.exe
O4 - HKLM\..\Run: [CW] "C:\Program Files\CW4\cw4.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131829020028
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131829174122
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45C5CBD3-B4AC-4DC7-9952-72E6FBB90258}: NameServer = 212.159.13.49,212.159.13.50
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

-------------------------------------------------------------------------


ALSO COULD U GIVE ME INFO ON HOW TO PREVENT IE FROM AUTO LOADING THESE VIRUS'S/MALWARE/TROJANS coz i had all the spybot, avg, and the rest installed and set to protect but they didn't stop these from installing.

Many thanks in advance

Clive

[guestolo]

Can you do the following please

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

Please print the next set of instructions or save them too a notepad file on your desktop for reference

==Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/
Additionally under the Status Window
In the Additional options, can you Uninstall GUARD please
We don't need it interfering with any fixes we try

Also: Open Spybot>>Click on MODE>>ADVANCED MODE>>OK the prompt
Click on TOOLS in the bottom left
Then RESIDENT>>>UNCHECK ONLY Resident Tea Timer
Allow the change
Keep this disabled until after we have you clean
TeaTimer may, and probably will interfere with any fixes we try

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job

==Reboot back to Normal mode

==From my signature below, use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop

==Post the following back please
1. A fresh hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
4. Post the report from Panda's