Hi
Your system is infected with a series of trojans and adware.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
winupdates.exe
whse.exe
kybrd.exe
dfndra.exe
nwnm.exe
tapi32.exe
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
winupdates.exe
whse.exe
kybrd.exe
dfndra.exe
nwnm.exe
tapi32.exe
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM..Run: [keyboard] C:\kybrd.exe
O4 - HKLM..Run: [defender] C:\dfndra.exe
O4 - HKLM..Run: [newname] C:\nwnm.exe
O4 - HKCU\..\Run: [WinHlp] C:\WINDOWS\System32\tapi32.exe
O15 - Trusted Zone:
www.archiviosex.net
O15 - Trusted Zone:
www.linkautomatici.com
O15 - Trusted Zone:
www.redfunny.com
O15 - Trusted Zone:
www.skymasters.biz
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\Recycler\Q678341.exe
Also fix these entries if you do not recognise the sites to be ones you frequent. Fix ALL O17 entries too.
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} -
http://www.terp17.com/ax/axo.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} -
http://cabs.elitemediagroup.net/cabs/eliteview.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) -
http://static.zangocash.com/cab/Zango/ie/bridge-c8.cab?2ffa25d59e669145a5231c359 89761a4353adc359ca85f19bc0aabf8c75cf502d03a6418b97160482684ad7d348a64b136db6e879 b1ee3312eeb84d3:d4cfae920c178c84bcb234c06cc46aff
Close HJT.
Navigate in Windows Explorer and delete the following files and/or directories in bold.
C:\Program Files\
winupdates\winupdates.exe
C:\Program Files\
WhenUSearch\whse.exe
C:\
kybrd.exe
C:\
dfndra.exe
C:\
nwnm.exe
C:\WINDOWS\System32\
tapi32.exe
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.