maleware win32/cryptor

Free AVG detected win32/cryptor but was unable to remove it. AVG, Search & Destroy, Windows Update and any other maleware/virus program I've tried is unable to download updates or remove this virus. It appears to be also redirecting me from certain sites when I browse the web and makes other sites unavailable. I've followed all the instruction you've given for preparation for help but I was unable to download any windows updates. Whatever is wrong with my system prevents this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:10 PM, on 19/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\PC - 5\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Users\PC - 5\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC - 5\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC - 5\Documents\Downloads\GeePolice\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: FlashCatchBHO Class - {88618A96-6D8A-42E7-B932-9073D5B2080F} - C:\Program Files\FlashCatch\flashcatch.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
O3 - Toolbar: FlashCatch - {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files\FlashCatch\flashcatch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\PC - 5\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\PC - 5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUplden-au.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E19084E-41D6-47D5-99A2-04E2C6509279}: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E19084E-41D6-47D5-99A2-04E2C6509279}: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7035 bytes

Just a update. Before finding your site I followed the instructions from other sites and downloaded Malwarebytes' Anti-Malware. However when I installed it on this machine it failed to do an update and failed to run. I installed the same program on another machine and it worked fine and downloaded updates without a problem. This seems to be related to the being unable to do updates with other programs as well.

Hello transit_ion.
While your instructions are not potentially harmful, we ask that normal users do not help unless you are part of our tech staff.

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
  R3 - URLSearchHook: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
  O2 - BHO: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
  O3 - Toolbar: cgmyamanto Toolbar - {2032dc01-c59c-4281-9090-dd2f685b3d0c} - C:\Program Files\cgmyamanto\tbcgmy.dll
  O4 - Startup: PowerReg Scheduler V3.exe
  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\PC - 5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0E19084E-41D6-47D5-99A2-04E2C6509279}: NameServer = 85.255.112.105,85.255.112.21
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
  O17 - HKLM\System\CS1\Services\Tcpip\..\{0E19084E-41D6-47D5-99A2-04E2C6509279}: NameServer = 85.255.112.105,85.255.112.21
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

See if you can update and run MBAM now.

Did as above but when I clicked "Fix Checked" it went to a blank window but did not tell me if it fixed it or not.

Installed MBAM. Ticked launch and update. As before the program did not open and the updated did not happen.

To make sure I didn't miss anything I ran the scan a second time.

I found all the files above deleted except for

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Also on the second scan I found what appears as new additions.

O10 - Unknown file in Winsock LSP:C:\windows\system32\wpclsp.dll

this o10 is repeated 9 or 10 times in a row.

My bad. I just looked at the original log and the 010 entry was in it. Ignore that, sorry.

MBAM installed but did no run or update. I unistalled it and tried it a second time, still did not work.

Hello.
DO NOT fix the 010 items in Hijack This, they are your LSP chain and breaking this will cause you to lose internet access.

Delete this folder in bold:
C:\Program Files\cgmyamanto

Download MBAM databse from here:
http://www.gt500.org/malwarebytes/database.jsp

Run the executable file and it will update the database manually rather than downloading it via the MBAM window. See if that will get the scan going. If you can't update, run the scan anyway with no update if that's possible for you.

Did not touch 010 items.

Deleted cgmyamanto.

Dowloaded the database and installed.

When I run MBAM normally it doesn't run and I get no error message.

When I run MBAM as administrator then I get a windows error message that the program stopped working. MBAM never opens up.

Hello.
I know what's wrong now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Okay, were there instructions given last night for DRWEB that were replaced with the ones for Avenger? I followed those first then logged on this morning and found the ones for Avenger which I now followed.

This is what happened.

Downloaded DrWeb - it installed fine.
Gave me an option to update - it updated fine.
Started Program - it ran a quick scan - no problem.
Changed settings to remove Heuristic Analysis - ran full scan - blue screen crash. (This is what would happen when I tried to scan with Free AVG before contacting you guys).
Restarted Computer. Ran custom scan for all my drives with Heuristic Analysis off.
This morning I check the computer and the scan completed, this is what it found.
Back.Door.Tdss.106 - Deleted.
Trojan.Starter.896 - Moved.
Went to save the log as instructed. Blue Screen.
Restarted Computer and logged on here to double check instructions. Found the above instructions for avenger.
Followed the instructions, no problem.
This is the log for avenger.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Also one of the last two actions means now that MBAM now runs and updates.

This is the result of a quick MBAM scan.

Malwarebytes' Anti-Malware 1.34
Database version: 1876
Windows 6.0.6001 Service Pack 1

20/03/2009 5:07:34 PM
mbam-log-2009-03-20 (17-07-34).txt

Scan type: Quick Scan
Objects scanned: 78937
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\PC - 5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlayMe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlayMe\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

... and this is the result of a full scan.

Malwarebytes' Anti-Malware 1.34
Database version: 1876
Windows 6.0.6001 Service Pack 1

20/03/2009 7:02:12 PM
mbam-log-2009-03-20 (19-02-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 356360
Time elapsed: 1 hour(s), 42 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\$Recycle.Bin\S-1-5-21-1886690304-4079661910-4022131555-1001\$RQ3P2H6\SR2020-Demo-Setup.exe (Rogue.ScanSpyware) -> Quarantined and deleted successfully.

Yeah, sorry about changing my instructions, I had another user with exact same problems and it was a rootkit blocking it, so I changed my instructions here. I guess Dr.Web did all the removal, glad to know we have one more tool that isn't blocked.
Lets one final look around.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-03-16.01) - NTFSx86
Run by PC - 5 at 19:29:22.93 on Fri 20/03/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.61.1033.18.894.273 [GMT 10:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\CTsvcCDA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Windows\ehome\ehtray.exe
C:\Users\PC - 5\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\PC - 5\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC - 5\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\PC - 5\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - c:\program files\flashcatch\flashcatch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - c:\program files\flashcatch\flashcatch.dll
TB: {2032DC01-C59C-4281-9090-DD2F685B3D0C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\pc - 5\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [filehippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\wpclsp.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUplden-au.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

S3 mdxgthkn;mdxgthkn;c:\users\pc - 5\appdata\local\temp\mdxgthkn.sys [2006-9-27 31744]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2009-1-9 34064]

=============== Created Last 30 ================

2009-03-20 16:57 --d----- c:\users\pc-5~1\appdata\roaming\Malwarebytes
2009-03-20 03:01 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-20 00:19 --d----- c:\users\pc - 5\DoctorWeb
2009-03-20 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 00:10 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 00:02 --d----- c:\programdata\Malwarebytes
2009-03-20 00:02 --d----- c:\progra~2\Malwarebytes
2009-03-19 21:00 --d----- c:\program files\filehippo.com
2009-03-19 19:29 --d----- c:\program files\JavaRa
2009-03-18 20:48 --d----- c:\program files\Panda Security
2009-03-17 00:56 19,456 a------- c:\windows\system32\gaopdxxpwinrsooslrrpacppitiyvhjhwmtfou.dll
2009-03-16 19:30 --d----- c:\users\pc-5~1\appdata\roaming\Qualcomm
2009-03-16 19:13 1,712,128 a------- c:\windows\system32\gdiplus.dll
2009-03-16 19:13 317,952 a------- c:\windows\system32\Roboex32.dll
2009-03-16 19:13 --d----- c:\program files\Qualcomm
2009-03-16 19:13 48,640 a------- c:\windows\system32\INETWH32.DLL
2009-03-16 13:22 --d----- c:\program files\DNA
2009-03-16 13:22 --d----- c:\program files\BitTorrent
2009-03-13 13:47 --d----- c:\users\pc - 5\.thumbnails
2009-03-13 13:42 --d----- c:\users\pc - 5\.gimp-2.6
2009-03-13 13:42 --d----- c:\users\pc - 5\.gegl-0.0
2009-03-13 13:39 --d----- c:\program files\GIMP-2.0
2009-03-11 19:32 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 19:32 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 19:32 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 19:32 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 19:32 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 19:32 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-11 11:53 --d----- c:\users\pc-5~1\appdata\roaming\OpenOffice.org
2009-03-11 11:39 --d----- c:\program files\OpenOffice.org 3
2009-03-10 22:48 --d----- c:\program files\Orbiter
2009-03-10 11:49 --d----- c:\program files\AVG
2009-03-10 11:48 --d----- c:\programdata\avg8
2009-03-10 11:48 --d----- c:\progra~2\avg8
2009-03-10 11:06 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-10 11:06 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-10 11:06 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-09 19:57 --d----- c:\program files\common files\Real
2009-03-04 20:29 --d----- c:\users\pc-5~1\appdata\roaming\PeerNetworking

==================== Find3M ====================

2009-03-19 17:01 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-19 17:01 86,016 a------- c:\windows\inf\infstor.dat
2009-03-19 17:01 51,200 a------- c:\windows\inf\infpub.dat
2009-03-07 18:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-01 22:37 73,216 a------- c:\windows\ST6UNST.EXE
2009-02-01 22:37 286,720 -------- c:\windows\Setup1.exe
2009-01-15 16:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-09 22:57 3,528 a------- c:\windows\system32\Infob.dat
2009-01-06 08:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-12 08:10 174 a--sh--- c:\program files\desktop.ini
2008-12-12 07:59 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-15 16:18 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-03-15 16:18 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-03-15 16:18 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:30:29.11 ===============

Okay, lets finish this off.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
mdxgthkn

Drivers to delete:
mdxgthkn

Files to delete:
c:\windows\system32\gaopdxxpwinrsooslrrpacppitiyvhjhwmtfou.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "mdxgthkn" disabled successfully.
Driver "mdxgthkn" deleted successfully.
File "c:\windows\system32\gaopdxxpwinrsooslrrpacppitiyvhjhwmtfou.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

How is the machine now?

The machine has been running better since I followed the initial instructions for clean up even before my first post.

To answer your question, I just tried doing a windows update and it's working as I type. I appears fixed. I will check after the downloads have finished to see if it worked correctly. I'll also download a new virus buster, firewall and anti spyware software.

Thank you very much for your prompt replies and your help.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Should I do this before the windows update or after?

After. Let the update run first.

Windows updated, system restore point set. Thank you again for you help. Going to secure my system now.

So I have one final question.

I've updated windows. I have updates on automatic. I have windows firewall installed. I'm installing Comodo Firwall and Comodo Anitivirus. (Got those from your forum under free downloads) and I'll install Spybot and Adaware. I also already have installed MBAM and DrWeb. Do I need MBAM and DrWeb if I'm getting Comodo? How is it that I that I was infected in the first place. I had windows updates on automatic, windows firewall, free avg, spybot with resident shileld and adaware (which did not work) yet I still got infected?