Please HELP!!!!

[Mrfus]

Im really not sure what happend, I was surfing the web on the morning, and well avast send the alert from a conexion infected with this virus as the log show:

Sign of "Win32:Rootkit-C [Trj]" has been found in "C:\WINDOWS\System32\yhsxbmjs.mnf" file. 
Sign of "Win32:Zhelatin-MI [Wrm]" has been found in "C:\Documents and Settings\FuS\Local Settings\Temporary Internet Files\Content.IE5\W7ODO5B3\zup[1].exe" file. 
Sign of "Win32:Zhelatin-MI [Wrm]" has been found in "C:\WINDOWS\system32\zup.exe.exe" file. 
Sign of "Win32:Zhelatin-I [Wrm]" has been found in "C:\WINDOWS\System32\wincom32.sys" file. 
4Sign of "Win32:Small-EJL [Trj]" has been found in "C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP149\snapshot\_REGISTRY_MACHINE_SOFTWARE" file. 

Well after I select delete the files, the sistem star acting strange, I get a small pop dialog on the notification area on the task bar that refer something to spyware on the sistem... well at that point my browser (Internet explorer 6.028) start redirecting my home (altavista) to a white page that just show a bar that say "Warning: Your computer is infected with spyware! How to help protect your computer and remove spyware..." (this is the web to where my browser is redirected http://vnmxjcx.com/start/?aid=242) and finally if you click on the link you go to a web title under http://top-antispyware-reviews.com/, that is just a sales site for a spyware removal tool)... well i run Spybot search & destroy, ad-aware adn spyhunter, remove any spyware or malware... reboot machine, same problem browser still redirected to same web, blocking acces to many webs (including altavista, hotmail, google... and others), I reboot the machine and run avast before the load of windows, nothing detected, reboot and start windows on safe mode, run spybot, ad-aware, avast, and spyhunter, nothing anormal detected... return to windows (XP version 2002, SPK1) the sistem start becoming unestable, several ocations the sistme get error en services.exe and reboot sistem...

Im desesperate, i dont want to clean all the sistem and start from zero to put software back on (Im a graphic designer so you can figure all adobe and macromedia aplications, plus im learning to progrma basic stamp microcontrolers so there is a more programs installed on the sistem and files), Im sure the sistem have a virus and sure have a worm that is afecting the sistem and redirecting (hijacking my browser!!!!)... i have the log of this software i hope can give some one and idea of what can be wrong:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:17:40 PM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\System32\msnhlp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [monitor] C:\Program Files\PlayTV USB 2.0\monitor.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by143w.bay143.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553538000} -
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Unknown owner - C:\Program Files\Spyware Terminator\sp_rsser.exe (file missing)

--
End of file - 5980 bytes

I hope some one can help me with this situation before it gets worst and my only solution becomes to format the HDD and reinstall wind and all the drivers and all the aplications, and copy the backup that i just made of my documents... 

[Spiritsongs]

   Hi Mrfus :

     1st off, you should NEVER INITIALLY "Delete" anything detected by a
     security program, but should ALWAYS "Quarantine" it, because "Deleting"
     may cause problems such as the ones you are experiencing .
     2nd :Many anti-malware Experts recommend NOT having "Spyhunter" on
     a computer and antispyware Expert Eric Howes says the following on his
     www.spywarewarrior.com/rogue_anti-spyware.htm  site :
    " Note on Enigma SpyHunter:  Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising . The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.
Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the "spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).

While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs , we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize . Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.   

Domains: enigmasoftwaregroup.com, spywareremove.com, uninstallxupiter.com

[A: 6-26-04 / U: 8-22-04] " .

 3rd : Your HijackThis log indicates you have "Spyware Terminator" !?
 What has this program done about your situation ? There is no indication
 in the Log that Spybot, Ad-Aware or "SpyHunter" are on your computer !?

 4th : Perhaps it would be wise to use either the online scanner of AVG
 Antispyware available at www.ewido.net and/or use the FREE version of
 SUPERantispyware from www.superantispyware.com !? These 2 are often
 recommended by many anti-malware Experts .

[essexboy]

A few remnants of smitfraud

Download ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.  to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall