Okay everything is done with the exception of the AVG AS scan. There are multple scan choices, which did you want me to pick?

O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html

This came back a second time.

I just installed AVG Free 7.5, and here is my Vundo Fix log. As I can't tell what is an old addition to the log and what is new, I'll have to post the entire thing.


VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:55:17 PM 6/25/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 12:28:06 AM 6/26/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnmlmm.dll
C:\WINDOWS\system32\opnmlmm.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bxvymww.dll
C:\WINDOWS\system32\bxvymww.dll Has been deleted!
Performing Repairs to the registry.
Done!

Hi, Ayenima, let's continue... since something is interfering with your desktop this next pgm should root out other, like processes:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
If you have not run AVG AS yet hold off for a moment until I see this log.

SmitFraudFix v2.197
Scan done at 1:53:41.67, Wed 06/27/2007
Run from C:\Documents and Settings\Larry\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Larry\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Larry\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\rteremejyfs.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
Description: Instant Wireless USB Network Adapter ver.2.6 #2 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0736B882-5441-4366-A496-4FBF55969319}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5BA24600-FF63-41E1-9506-53AA69F2492B}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{852E3730-E396-4A83-B2A8-D38ED4606B92}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End



Theres the log.

For the record, I didn't mean that last part to be hostile in any way, just stating what it is :-P

Hi, Ayenima, I'm not taking offence at anything...
Could you please delete ComboFix.exe that you downloaded = C:\Documents and Settings\Larry\Desktop\ComboFix.exe, plus C:\Combofix.txt and the C:\Qoobox folder.
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Instead of running a fix with the Smitfraud tool, merely go Start, run, type cmd and press Enter, then paste this line into the window after the prompt and press Enter:

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0" /f

Close the window.
==Start AVG AS and do a complete system scan [ensure recommended action is set to Quarantine as I mentioned before]. Save the log.

Start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\Program Files\Windows NT\mewofyn83122.dll
C:\Program Files\Internet Explorer\rteremejyfs.html
C:\WINDOWS\system32\xxyvsrr.dll

Folders to delete:
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B1
C:\Temp\iee
C:\Temp
_____________________________________
...and click Done, and finally the green light.

Restart in normal mode, make a fresh hijackthis log, post it plus Avenger, and AVG logs.

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:02:02 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6660 bytes

Avenger Log

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Error: could not create zip file.
Error code: 1813
//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vugfjiuf
*******************
Script file located at: \??\C:\Program Files\skkkxkkn.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\Windows NT\mewofyn83122.dll deleted successfully.

File C:\Program Files\Internet Explorer\rteremejyfs.html not found!
Deletion of file C:\Program Files\Internet Explorer\rteremejyfs.html failed!
Could not process line:
C:\Program Files\Internet Explorer\rteremejyfs.html
Status: 0xc0000034

File C:\WINDOWS\system32\xxyvsrr.dll not found!
Deletion of file C:\WINDOWS\system32\xxyvsrr.dll failed!
Could not process line:
C:\WINDOWS\system32\xxyvsrr.dll
Status: 0xc0000034
Folder C:\WINDOWS\system32\o02PrEz deleted successfully.
Folder C:\WINDOWS\system32\win deleted successfully.
Folder C:\WINDOWS\system32\B4 deleted successfully.
Folder C:\WINDOWS\system32\B3 deleted successfully.
Folder C:\WINDOWS\system32\B2 deleted successfully.
Folder C:\WINDOWS\system32\B1 deleted successfully.
Folder C:\Temp\iee deleted successfully.
Folder C:\Temp deleted successfully.
Completed script processing.
*******************
Finished! Terminate.//////////////////////////////////////////


AVG AS Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:56:33 PM 6/27/2007
+ Scan result:

C:\Program Files\backups\backup-20070626-014558-756.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568639.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\VundoFix Backups\bxvymww.dll.bad -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\backups\backup-20070626-004415-558.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568611.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\WinPop\winpop.exe -> Adware.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568496.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568600.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\opnmlmm.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xxyvsrr.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\B3\wr620.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP303\A0568492.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\B2\wen2.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Larry\Cookies\larry@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Larry\Cookies\larry@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\WinPop\UnInstall.exe -> Trojan.Small.oa : Cleaned with backup (quarantined).

::Report end



While it was set to Quarantine everything (including the default action), the Trackers remained at Delete.

Hi, Ayenima, that took care of a lot. Please do these things:
Delete the files held in AVG quarantine.
Delete C:\VundoFix Backups
Fix these with hijackthis:

O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Now do a search for any files in your C: drive with "mirar" as a search string, delete any you find [be sensible about that..]
System Restore Points Clearance:
==Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Run CCleaner again, and as a final check please do the Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Everything done except for the Panda scan, it closes randomly, and I don't know whats causing it. The first time I ran a scan I went to bed and woke up a few hours later, I came back to my computer (which was locked) and discovered the scan had disappeared. I've tried it twice more and again the same issue, it randomly closes. It gets to about 20%, with 19 Spyware and 2 Hacking Tools and Utilities found before it exits.

Ah, Ayenima, the fun of it all...yeah. Sometimes you win through by plugging away with the same tools; each time they run they get a little bit further.
Let's try this path:
==Run CCleaner, than try a run of AVG AS, Fast system scan. Then try Panda again, it should take no more than an hour for a typical sys, but what is that anyway?
If it fails again try this site for ComboFix [the earlier site you used does not seem to have the latest detections incorporated...]
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Panda still will not run? Then go to this site for an excellent alternative scanner: http://www.kaspersky.com/virusscanner
Unfortunately with this one if it finds a virus or trojan it will just list it.
Come back with how you get on...

ComboFix Log

."Larry" - 2007-06-30 15:54:39 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\winpop

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))

2007-06-30 02:36 <DIR> d-------- C:\Burning Crusade
2007-06-28 14:42 <DIR> d-------- C:\Program Files\CCleaner
2007-06-27 14:31 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-27 01:53 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 01:53 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 01:53 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 01:53 2,482 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-26 00:44 <DIR> d-------- C:\Program Files\backups
2007-06-25 23:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-25 21:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 20:41 1,308,216 --a------ C:\Program Files\imsubtle.exe
2007-06-25 20:24 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-25 20:24 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-25 20:24 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-25 20:24 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-25 20:24 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-25 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\PC Tools
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-25 00:50 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-06-24 22:05 <DIR> d-------- C:\Program Files\Psicraft
2007-06-24 22:05 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Psicraft
2007-06-24 21:35 <DIR> d-------- C:\Program Files\Line6
2007-06-24 21:35 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Line 6
2007-05-08 21:53 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-08 21:53 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-08 21:53 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-08 21:53 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-08 21:53 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-08 21:53 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-08 21:52 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-05-08 21:51 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-05-08 21:51 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-05-08 21:46 <DIR> d-------- C:\Program Files\Timeline Interactive
2007-05-05 02:55 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-05-05 02:52 <DIR> d-------- C:\Program Files\e frontier
2007-05-01 18:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-30 19:52:38 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Xfire
2007-06-30 07:49:58 -------- d-s---w C:\Program Files\Xfire
2007-06-30 07:44:47 -------- d-----w C:\Program Files\NavNT
2007-06-30 07:44:47 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-06-30 07:44:22 -------- d-----w C:\Program Files\AIM
2007-06-29 06:29:50 -------- d-----w C:\Program Files\World of Warcraft
2007-06-29 05:12:10 -------- d-----w C:\Program Files\Total Video Converter
2007-06-28 07:47:50 -------- d-----w C:\Program Files\Steam
2007-06-27 20:59:37 -------- d-----w C:\Program Files\Windows NT
2007-06-26 03:40:17 -------- d-----w C:\Program Files\BraveTree
2007-06-26 03:35:42 -------- d-----w C:\Program Files\Google
2007-06-26 02:51:45 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-06-26 00:35:57 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Google
2007-06-19 19:04:30 -------- d-----w C:\Program Files\GCH Guitar academy
2007-06-19 03:43:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\IGN_DLM
2007-06-16 05:16:32 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-06-08 03:42:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 00:20:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:51:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 17:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 17:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 17:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 17:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 17:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 17:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 17:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 17:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 17:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-19 17:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 17:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-19 17:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 17:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 17:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 17:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-19 17:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-19 17:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 17:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-19 17:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-19 17:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-19 17:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-19 17:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 17:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 17:26:00 2,973,696 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-19 17:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 17:26:00 2,859,008 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-04-19 17:26:00 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-04-19 17:26:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 17:26:00 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-02-23 07:57:59 88 --sh--r C:\WINDOWS\system32\4BFB238848.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"Cmaudio"="cmicnfg.cpl" []
"@"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"atwtusb"="atwtusb.exe" [2005-02-03 10:37 C:\WINDOWS\system32\atwtusb.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-26 02:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 18:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Steam"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a15a5a0-aa57-11db-a05a-9ccc57198468}]
AutoRun\command- F:\LaunchU3.exe -a

**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 15:58:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-30 15:58:39
C:\ComboFix-quarantined-files.txt ... 2007-06-25 23:23
--- E O F ---


Kaspersky log

Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerA:\
C:\
D:\
E:\ Scan StatisticsTotal number of scanned objects166298Number of viruses found2Number of infected objects7Number of suspicious objects0Duration of the scan process02:30:44
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\021C0000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02680000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN Infected: Exploit.HTML.IESlice.d skipped C:\Documents and Settings\Larry\Application Data\Aim\lwbhvxqj\stormreaver226\cert8.db Object is locked skipped C:\Documents and Settings\Larry\Application Data\Aim\lwbhvxqj\stormreaver226\key3.db Object is locked skipped C:\Documents and Settings\Larry\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Larry\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Larry\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\History\History.IE5\MSHist012007063020070701\index.dat Object is locked skipped C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Larry\ntuser.dat Object is locked skipped C:\Documents and Settings\Larry\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\World of Warcraft\Logs\gx.log Object is locked skipped C:\Program Files\World of Warcraft\Logs\Sound.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{2AA6384C-372E-4275-91A5-6E131A766022}\RP308\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TempFile Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.