Malware help needed, Hijackthislog attached!

You should manually delete any of the files that BitDefender indicated it could not delete. This includes all the stuff in the below folder:
C:\Documents and Settings\Default\Desktop\Desktop2

You should be careful download stuff with P2P programs and also with the downloading of cracks. That is how you probably got all these infections and you have a bunch.

Begin by follow this procedure: Look2Me VX2 Removal then attach the requested log to your next message.

Are you loading these three below items at startup on purpose? If not, then add them to the list of things to fix further down with HijackThis.
O4 - Startup: important.txt
O4 - Startup: important2.txt
O4 - Startup: important3.txt

Is the below proxy server setting something you configured?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

You did not follow the directions for installing HijackThis properly in step 7 and as a result installed it exactly where we specify not to install it. Please fix this now before continuing.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {A5181F8A-0B9D-43AC-8BE5-EB61651DB685} - (no file)
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinsqaf.exe FI002
O4 - HKCU\..\Run: [EServiceMain] C:\Program Files\Common Files\Microsoft Shared\MSInfo\cservice.exe
O4 - HKCU\..\Run: [Utsa] "C:\Program Files\eoan\ruaa.exe" -vt yazb
O4 - HKCU\..\Run: [Kbd] C:\Program Files\?ssembly\ping.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinsqaf.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://www.bofa.com
O15 - Trusted Zone: http://www.windowsupdate.com
O15 - Trusted IP range: 128.218.107.34
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ipwins <--- the whole folder
C:\Program Files\eoan <--- the whole folder
C:\Program Files\?ssembly <--- the whole folder
C:\Program Files\Common Files\Microsoft Shared\MSInfo\cservice.exe
C:\WINDOWS\system32\rwinsqaf.exe
C:\WINDOWS\system32\irssyncd.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

For a few reasons:

1. It is a bad practice to give any site complete permission to do anything they want on your PC.
2. If you start adding things to the Trusted Zone it can start to get out of hand and could make it easy to miss when malware inserts items there.
3. And I have found that there is almost never any reason why you need them to be added to the Trusted Zone. I have never added anything to the TZ on any PC and have never needed it. Some programs like to add their sites during installation (like MusicMatch) I delete them and there are no problems running anything or updating.

It's your choice in the end. If you run into a problem that you find something does not work, you can always add them back. But first ask a question, why is it that every site that you goto does not need to be in your TZ and then why do these therefore need to be added.

Yes! I just download the file. It seems to have a file related to something you use with your printer. You can keep if desired. Typically things in the O16 section of a HijackThis log are not required and will just be redownloaded when you access the site again if it is needed.

No! This is for Bitdefender online scan and the file is not missing. HijackThis has a few bugs that sometimes results in reporting files as missing when they are not.

What did ZoneAlarm say about it? I have no info on this file. Too bad you could not get a Panda log! It may have found it and reported something. You could run the below online file scanner on the file and tell me what it reports.

http://virusscan.jotti.org/

If the online scan shows it to be malware, then you can start by just renaming the file to tdopfpgx.xxx. That way you can be sure you do not need it before deleting it.

That IP address belongs to Savvis? Are they providing you with Internet service? Or are they the actual backbone provider for your ISP?

You have some new malware that just showed up!

Make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\dvd43\wunins000.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmwfhh.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\dvd43\wunins000.exe <--- infact, delete the whole dvd43 folder
C:\WINDOWS\system32\irsmnwas.dll
C:\WINDOWS\system32\unirimon.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay! But you may want to check if your ISP uses Savvis to provide service. It would be good for you to know who you are truly getting your IP address from.

You're welcome! No! We do not get paid for doing this!

Your log is clean. If you are not having any other malware problems, you should work thru the below link:

How to Protect yourself from malware!