NOTE: the malware is in the System Restore points. Do NOT do a System Restore while we're cleaning. We will drop the old restore points when the system is clean.
You are running two antivirus programs:
C:\Program Files\Common Files\
Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\
Avast4\aswUpdSv.exe
Decide which one you want on the system and uninstall the other. If you decide to uninstall the Symantec/Norton program, use the Norton Removal Tool
HERE
Temp files should be cleaned out occasionally:
C:\DOCUME~1\OLDMAN~1\LOCALS~1\Temp\clclean.0001
This is from "Creative Filter AudioControlMB Module"
(ctmbha.dll, version 1.0.1.22).
Please re-open HiJackThis> click on System Scan Only> Check the boxes next to all the entries listed below.:
O2 - BHO: (no name) - {DDAD52FC-45AA-4493-872A-5E1D7823C437} - (no file)
O2 - BHO: (no name) - {E87D9DDF-FC36-4699-B73F-37BBC978160F} - C:\WINDOWS\system32\mlJYpPFy.dll (file missing)>> this is another Vundo process/
O4 - HKLM\..\Run: [win16dll] C:\Program Files\44052\cae4.exe>>>Screenspy captures screenshots silently. If you didn't install this yourself, remove it. (Filename: win16dll.exe)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: ssqRjGYO - C:\WINDOWS\>> this is the Trojan.WinFixer.Process.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Poker Stars
Any process related to win16dll, 44052 or cae4.exe
> Apply> OK
Open IE> Tools> Manage Add-on> find the Eset OnlineScanner Control> highlight> Disable.
Control Panel> Add/Remove Programs> UNINSTALL the following if present:
PokerStars
win16dll, 44052 or cae4.exe
Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
Run the VundoFix:
Please download VundoFix.exe and Save to your Desktop.from
HERE to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please attach the C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Then run SDFix:
* Download SDFix from
HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
Rescan with HijackThis AFTER VundoFix and SDFix. Attach all logs and reports.