Problems...probably spyware

Run the steps in the below link:

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

And post your smitfiles.txt log here as an attachment when finished.

Sounds like you also have a Virtumonde infection which is covered in:

Virtumonde aka Trojan Vundo Removal

 

CAUTION: Your log shows evidence of PWSteal.T . This trojan sends information about:
• Cached passwords
• Collected Email addresses
• Created logfiles
• IP address
• Current malware status
• Opened port
• Collected information described in stealing section
• Information about the Windows operating system

It is advised that you change all password for ALL accounts (especially financial related) that you have accessed from this PC. You security may have been compromised and the safest thing to do is to change the passwords NOW!. Do not do that from this PC! Either call up and have them changed or do it from another PC that you are sure is clean.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now Click Start > Run > type services.msc and Click OK

Locate System Startup Service and Right Click on it to bring up the Service Properties Window. (If you do not find that service look for SvcProc )
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Now please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:

System Startup Service

If that does not work try entering the short name: SvcProc

Now exit Hijackthis but do not reboot when it tells you it needs to. We will reboot later on.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: winprint - winprint.dll (file missing)
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\gepokcai.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Application Data\msw <--- the whole folder
C:\Documents and Settings\Tavi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-762d722b-3120e2c8.class
C:\Documents and Settings\Tavi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-21ef2186.zip[Dummy.class]
C:\Documents and Settings\Tavi\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Tavi\Application Data\tvmknwrd.dll
C:\Documents and Settings\Tavi\Favorites\Fun & Games
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar[isearch.js]
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\anatynm.exe
C:\WINDOWS\country.exe
C:\WINDOWS\deskbar.ini
C:\WINDOWS\DH.dll
C:\WINDOWS\dsearch1.bin
C:\WINDOWS\kl.exe
C:\WINDOWS\teller2.chk
C:\WINDOWS\ms1.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool5.exe
C:\WINDOWS\inet20003 <--- the whole folder
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\SYSTEM32\bs51-eginwl51-vb.exe
C:\WINDOWS\SYSTEM32\data.~
C:\WINDOWS\SYSTEM32\Free Cell Phone.ico
C:\WINDOWS\SYSTEM32\gogotools.exe
C:\WINDOWS\SYSTEM32\mac02.ico
C:\WINDOWS\SYSTEM32\saieau.dat
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\system32\20007.exe
C:\WINDOWS\system32\ccadafcl.exe
C:\WINDOWS\system32\nsu33.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
C:\WINDOWS\SYSTEM32\cache32_dsktptr
C:\WINDOWS\system32\Cache\gogotoolssilawo18pi.exe
C:\WINDOWS\system32\Cache\trafficgen-fran.exe
C:\WINDOWS\system32\oobe\emachines\Preinstall.cmd

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and as an additonal precaution, run the steps below for Ewido and attach the Ewido log.

Running Ewido Security Suite

Then attach a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You're welcome!

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!