0

I've been attempting to remove the Vundo Trojan from a computer, and thanks to to the instructions from another website http://www.virusspy.com/spyware/removewinfixer.html I think I've managed to actually get rid of it. I'd say I followed the instructions given with about 90% accuracy, (one of the programs wouldn't run in safe mode). Well after all is said and done the only thing I have left to do is finish up with HijackThis. None of the scanners are finding the actual Trojan anymore, however I am getting two new error messages upon startup every time. They are both RUNDLL error messages saying "Error loading C:\WINDOWS\System32\vyaqfgmb.dll The specified module could not be found." And actually the second error message is identical except it's looking for the file ssxjwpvi.dll in the same folder. I googled both of those file names and got nothing at all.
They look to me like incorrect registry entries, or remnants of the recently removed infection. Are the steps necessary to ridding these error messages tied to successfully using HijackThis? If so here is the log from HJT along with the results from AVG Anti-Spyware, as requested by 'Stein

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:58:49 PM 3/5/2008

+ Scan result:

C:\Documents and Settings\TiFF\Cookies\tiff@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.


::Report end


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:26 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1152319491\ee\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: {0f0fa4b1-9918-d7f8-3614-d4e08d9bb730} - {037bb9d8-0e4d-4163-8f7d-81991b4af0f0} - C:\WINDOWS\system32\alvxqeif.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {60230987-671C-48C0-9027-F878B5ADFE23} - C:\Program Files\MSN\meqodagu83122.dll (file missing)
O2 - BHO: (no name) - {7B48FCAF-4163-4DC9-6154-4E71B57896E8} - C:\WINDOWS\system32\bqdst.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {8a950f9b-0b1b-4752-868b-f42c7be6e04a} - C:\WINDOWS\system32\rrvfhlv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [{5A-A7-70-07-ZN}] C:\DOCUME~1\TiFF\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [WinAntiSpyware 2006 Free] "C:\Program Files\WinAntiSpyware 2006 Free\was6.exe" /min
O4 - HKLM\..\Run: [DC6_Check] "C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe"
O4 - HKLM\..\Run: [4cf5a7a8] "rundll32.exe" "C:\WINDOWS\system32\ssxjwpvi.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM4fc69434] "Rundll32.exe" "C:\WINDOWS\system32\vyaqfgmb.dll",s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\TiFF\Local Settings\Temp\thinksnet.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: khffdby - khffdby.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtele.html

--
End of file - 7632 bytes

Also if it makes any difference the PC is a Dell laptop: Inspiron E1405 running intel 1.66Ghz & 1GB of RAM
XP Media Center Edition Service Pack 2


Thanks in advance for any and all help on the matter!:)

2
Contributors
16
Replies
17
Views
9 Years
Discussion Span
Last Post by PhilliePhan
0

however I am getting two new error messages upon startup every time. They are both RUNDLL error messages saying "Error loading C:\WINDOWS\System32\vyaqfgmb.dll The specified module could not be found." And actually the second error message is identical except it's looking for the file ssxjwpvi.dll in the same folder. I googled both of those file names and got nothing at all.
They look to me like incorrect registry entries, or remnants of the recently removed infection.

Hi Bobby,

You are correct - those are registry remnants from the removed malware.

Looks like you did not get it all. Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

  • DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

NEXT:

  • Download combofix.exe by sUBs to your computer's Desktop.
  • Alternate Download
  • (If you already have a previous version, delete it and download a new version).
  • Double click combofix.exe & follow the prompts.
    Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

  • Produce a log for you. ( C:\ComboFix\ComboFix.txt)
  • Restore your Internet connection.

IMPORTANT:

  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us.

LASTLY:
Run HijackThis and Open the Misc Tools section.
Open the Uninstall Manager and Click Save list
Save it to your desktop and then please post the list.

I'd like to see those three logs:
1- MBA-M Log
2 - ComboFix Log
3- Uninstall List

I will try to check back in a timely manner, but have been a bit overextended with work lately.

Best Luck :)
PP

0

Here are the log files in order as requested. I hope you have a search engine for whatever your looking for!

MBA-M Log

Malwarebytes' Anti-Malware 1.06
Database version: 459

Scan type: Full Scan (C:\|)
Objects scanned: 74210
Time elapsed: 20 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5acae4b8-62d9-4124-a58a-9b1258b77e99} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-992c-4462-a27d-ebe604ec3a48} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-aa2c-4462-a27d-ebe604ec3a48} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2006 Free (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\poolsv (Multiple.Malware.Installer) -> Quarantined and deleted successfully.
C:\Program Files\svhost (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\TiFF\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\WinAntiVirus Pro 2006\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqrqqop.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\TiFF\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\TiFF\Desktop\WinAntiSpyware 2006.lnk (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.





-----------------------------------------------------------------------------

ComboFix Log

ComboFix 08-03-05.1 - TiFF 2008-03-05 16:44:46.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.438 [GMT -6:00]
Running from: C:\Documents and Settings\TiFF\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\TiFF\Application Data\ASEMBL~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WA6P
C:\WINDOWS\BM4fc69434.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\howofwld.ini
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\ivpwjxss.ini
C:\WINDOWS\system32\lncvqtme.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


(((((((((((((((((((((((((   Files Created from 2008-02-05 to 2008-03-05  )))))))))))))))))))))))))))))))
.

2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Malwarebytes
2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 14:27 . 2007-12-04 06:54 95,608  --a------   C:\WINDOWS\system32\AvastSS.scr
2008-03-04 14:27 . 2007-12-04 08:55 94,544  --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-04 14:27 . 2007-12-04 08:56 93,264  --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-04 14:27 . 2007-12-04 08:51 42,912  --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-04 14:27 . 2007-12-04 08:49 26,624  --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-04 14:27 . 2007-12-04 08:53 23,152  --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-04 14:26 . 2008-03-04 14:26 <DIR>    d--------   C:\Program Files\Alwil Software
2008-03-04 14:26 . 2007-12-04 07:04 837,496 --a------   C:\WINDOWS\system32\aswBoot.exe
2008-03-04 14:26 . 2004-01-09 03:13 380,928 --a------   C:\WINDOWS\system32\actskin4.ocx
2008-03-04 14:00 . 2008-03-04 14:04 1,355   --a------   C:\WINDOWS\imsins.BAK
2008-03-04 13:58 . 2007-07-09 07:16 582,656 ---------   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-04 13:50 . 2008-03-04 13:50 <DIR>    d--------   C:\Program Files\CCleaner
2008-03-03 10:23 . 2008-03-03 10:23 <DIR>    d--------   C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-01 12:24 . 2008-03-03 11:19 <DIR>    d--------   C:\VundoFix Backups
2008-03-01 11:03 . 2008-03-03 17:04 <DIR>    d--------   C:\Documents and Settings\TiFF\.housecall6.6
2008-02-29 14:42 . 2008-02-29 14:42 <DIR>    d--------   C:\Program Files\Windows Defender
2008-02-29 14:31 . 2008-03-05 14:03 <DIR>    d--------   C:\HJT
2008-02-29 14:25 . 2008-02-29 14:25 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Grisoft
2008-02-29 14:25 . 2007-05-30 06:10 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-29 14:24 . 2008-02-29 14:24 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Program Files\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-27 16:09 . 2008-01-04 20:56 1,526,640   --a------   C:\WINDOWS\WRSetup.dll
2008-02-27 16:09 . 2008-01-04 20:34 163,696 --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-27 16:09 . 2008-01-04 20:34 23,920  --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-27 16:09 . 2008-01-04 20:34 21,872  --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-27 16:09 . 2008-01-04 20:34 20,336  --a------   C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-27 16:06 . 2008-02-27 16:06 164 --a------   C:\install.dat
2008-02-26 14:11 . 2008-02-26 13:26 691,545 --a------   C:\WINDOWS\unins000.exe
2008-02-26 14:11 . 2008-02-26 14:11 2,542   --a------   C:\WINDOWS\unins000.dat
2008-02-26 13:23 . 2008-02-26 13:23 <DIR>    d--------   C:\WINDOWS\system32\LogFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 19:52    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:00    ---------   d-----w C:\Program Files\DIGStream
2008-02-29 20:18    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 20:17    9,344   ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-29 20:17    8,320   ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-05-07 18:21    88  -csh--r C:\WINDOWS\system32\ECA4C9D3B0.sys
2007-05-07 18:21    3,766   -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037bb9d8-0e4d-4163-8f7d-81991b4af0f0}]
            C:\WINDOWS\system32\alvxqeif.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60230987-671C-48C0-9027-F878B5ADFE23}]
            C:\Program Files\MSN\meqodagu83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B48FCAF-4163-4DC9-6154-4E71B57896E8}]
            C:\WINDOWS\system32\bqdst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8a950f9b-0b1b-4752-868b-f42c7be6e04a}]
            C:\WINDOWS\system32\rrvfhlv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 11:10 50792]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 19:50 112216]
"4cf5a7a8"="rundll32.exe" [2004-08-10 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM4fc69434"="Rundll32.exe" [2004-08-10 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\Common Files\rtele.html
FriendlyName= 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffdby]
khffdby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TiFF^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\TiFF\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check]
C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 13:58 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check]
C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-29 15:01 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\1152319491\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 10:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-28 10:55 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a--c--- 2006-02-17 10:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 09:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2006-12-19 10:27 136768 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mnzmscqe]
C:\Program Files\Common Files\?ystem\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a--c--- 2006-08-30 11:46 183367 C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-29 14:54 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2007-02-22 19:50 112216 C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 15:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-10 04:00 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 10:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
C:\WINDOWS\system32\uloifjyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5A-A7-70-07-ZN}]
C:\windows\system32\lldsregq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MDM"=2 (0x2)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aim6.exe"=

S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 22:51:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-03-05 16:49:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\common files\aol\1152319491\ee\aim6.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2008-03-05 16:52:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-05 22:52:07
.
2008-03-04 20:56:21 --- E O F ---  




--------------------------------------------------------------------------------------------------------


HJT Uninstall list


Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
AIM 6
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
avast! Antivirus
AVG Anti-Spyware 7.5
Broadcom Management Programs
CCleaner (remove only)
Cisco Clean Access Agent
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESPNMotion
Games, Music, & Photos Launcher
GemMaster Mystic
Get High Speed Internet!
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
mIWA
Mixer
mLogView
mMHouse
Modem Helper
Mozilla Firefox (2.0.0.12)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
Plaxo Toolbar for Outlook (with AIM Enhancements)
Qualxserve Service Agreement
QuickSet
QuickTime
RealPlayer Basic
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
Spy Sweeper
Spybot - Search & Destroy 1.5.2.20
Synaptics Pointing Device Driver
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Defender
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246

Edited by mike_2000_17: Fixed formatting

0

Here are the log files in order as requested. I hope you have a search engine for whatever your looking for!

LOL!

I have a pretty good idea of what I am looking for. Though, I should say that you ought not use Diagnostic Startup via msconfig as a "startup manager." There are better ways to deal with unwanted startups and malware. Plus, it adds to the workload of forum volunteers to have to deal with them.


Anyhoo, please do the following:

FIRST-
Look in Add/Remove Programs and UNINSTALL the following:

Adobe Reader 6.0.1 --> You'll need to update to the latest version.
Java 2 Runtime Environment, SE v1.4.2_03 --> This is probably the culprit that paved the way for Vundo. See instructions at end of fix steps to update Java.
McAfee VirusScan Enterprise --> Remove, since you are using AVAST! now.
Viewpoint Manager (Remove Only)
Viewpoint Media Player

THEN:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log


NEXT:
Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.


THEN:
Go and Update your Java here ---> http://www.java.com/en


LASTLY:
Give me a Fresh HijackThis Log from after all of the above has been completed.

I'll want to see:
1) New ComboFix Log
2) ESET Online Scan Log
3) Fresh HijackThis Log

Will check back as time permits.

Cheers :)
PP

0

I am much obliged for your rapid responses and detailed instructions. I will resume your steps in about 14 hours when I am at my desk again.

I should say that you ought not use Diagnostic Startup via msconfig as a "startup manager." There are better ways to deal with unwanted startups and malware. Plus, it adds to the workload of forum volunteers to have to deal with them.

Such as? and how so?:idea:

0

I am much obliged for your rapid responses and detailed instructions. I will resume your steps in about 14 hours when I am at my desk again.

You're welcome :)

No worries - and no rush. I should be around tomorrow evening

Such as? and how so?:idea:

The how so part is that it adds more stuff for us to sift through and deal with accordingly. Just a little extra work.

As for the "such as," my friend Chaslang has a good and thorough explanation here. Check it out:
Dealing with Startup Processes


Catch you tomorrow evening :)
PP

0

Here is...
New ComboFIX Log ran with script

ComboFix 08-03-05.3 - TiFF 2008-03-06 12:23:56.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.501 [GMT -6:00]
Running from: C:\Documents and Settings\TiFF\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\TiFF\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\alvxqeif.dll
C:\WINDOWS\system32\bqdst.dll
C:\WINDOWS\system32\khffdby.dll
C:\windows\system32\lldsregq.exe
C:\WINDOWS\system32\rrvfhlv.dll
C:\WINDOWS\system32\uloifjyv.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\err.log
C:\Documents and Settings\TiFF\err.log
C:\Documents and Settings\TiFF\ResErrors.log
C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((   Files Created from 2008-02-06 to 2008-03-06  )))))))))))))))))))))))))))))))
.

2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Malwarebytes
2008-03-05 16:20 . 2008-03-05 16:20 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 14:27 . 2007-12-04 06:54 95,608  --a------   C:\WINDOWS\system32\AvastSS.scr
2008-03-04 14:27 . 2007-12-04 08:55 94,544  --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-04 14:27 . 2007-12-04 08:56 93,264  --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-04 14:27 . 2007-12-04 08:51 42,912  --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-04 14:27 . 2007-12-04 08:49 26,624  --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-04 14:27 . 2007-12-04 08:53 23,152  --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-04 14:26 . 2008-03-04 14:26 <DIR>    d--------   C:\Program Files\Alwil Software
2008-03-04 14:26 . 2007-12-04 07:04 837,496 --a------   C:\WINDOWS\system32\aswBoot.exe
2008-03-04 14:26 . 2004-01-09 03:13 380,928 --a------   C:\WINDOWS\system32\actskin4.ocx
2008-03-04 13:58 . 2007-07-09 07:16 582,656 ---------   C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-04 13:50 . 2008-03-04 13:50 <DIR>    d--------   C:\Program Files\CCleaner
2008-03-03 10:23 . 2008-03-03 10:23 <DIR>    d--------   C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-01 12:24 . 2008-03-03 11:19 <DIR>    d--------   C:\VundoFix Backups
2008-03-01 11:03 . 2008-03-03 17:04 <DIR>    d--------   C:\Documents and Settings\TiFF\.housecall6.6
2008-02-29 14:42 . 2008-02-29 14:42 <DIR>    d--------   C:\Program Files\Windows Defender
2008-02-29 14:31 . 2008-03-05 16:57 <DIR>    d--------   C:\HJT
2008-02-29 14:25 . 2008-02-29 14:25 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Grisoft
2008-02-29 14:25 . 2007-05-30 06:10 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-29 14:24 . 2008-02-29 14:24 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Program Files\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\TiFF\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-27 16:09 . 2008-01-04 20:56 1,526,640   --a------   C:\WINDOWS\WRSetup.dll
2008-02-27 16:09 . 2008-01-04 20:34 163,696 --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-27 16:09 . 2008-01-04 20:34 23,920  --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-27 16:09 . 2008-01-04 20:34 21,872  --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-27 16:09 . 2008-01-04 20:34 20,336  --a------   C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-27 16:06 . 2008-02-27 16:06 164 --a------   C:\install.dat
2008-02-26 14:11 . 2008-02-26 13:26 691,545 --a------   C:\WINDOWS\unins000.exe
2008-02-26 14:11 . 2008-02-26 14:11 2,542   --a------   C:\WINDOWS\unins000.dat
2008-02-26 13:23 . 2008-02-26 13:23 <DIR>    d--------   C:\WINDOWS\system32\LogFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 18:12    ---------   d-----w C:\Program Files\Viewpoint
2008-03-06 18:12    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-06 18:11    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-03-04 19:52    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:00    ---------   d-----w C:\Program Files\DIGStream
2008-02-29 20:18    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 20:17    9,344   ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-29 20:17    8,320   ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-29 20:17    12,632  ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 05:53    44,544  ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01    347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51    179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21    3,592,192   ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01    625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00    70,656  ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00    13,824  ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59    161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-07 18:21    88  -csh--r C:\WINDOWS\system32\ECA4C9D3B0.sys
2007-05-07 18:21    3,766   -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-03-05_16.51.47.99   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-06 17:01:49   16,384  ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7dc.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037bb9d8-0e4d-4163-8f7d-81991b4af0f0}]
            C:\WINDOWS\system32\alvxqeif.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60230987-671C-48C0-9027-F878B5ADFE23}]
            C:\Program Files\MSN\meqodagu83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B48FCAF-4163-4DC9-6154-4E71B57896E8}]
            C:\WINDOWS\system32\bqdst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8a950f9b-0b1b-4752-868b-f42c7be6e04a}]
            C:\WINDOWS\system32\rrvfhlv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 11:10 50792]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4cf5a7a8"="rundll32.exe" [2004-08-10 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"BM4fc69434"="Rundll32.exe" [2004-08-10 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\Common Files\rtele.html
FriendlyName= 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffdby]
khffdby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TiFF^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\TiFF\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_check]
C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 13:58 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_check]
C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-29 15:01 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\1152319491\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 10:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-28 10:55 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a--c--- 2006-02-17 10:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 09:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mnzmscqe]
C:\Program Files\Common Files\?ystem\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a--c--- 2006-08-30 11:46 183367 C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-29 14:54 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 15:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-10 04:00 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 10:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
C:\WINDOWS\system32\uloifjyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5A-A7-70-07-ZN}]
C:\windows\system32\lldsregq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MDM"=2 (0x2)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aim6.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 17:04:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-03-06 12:26:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-03-06 12:26:44
ComboFix-quarantined-files.txt  2008-03-06 18:26:42
ComboFix2.txt  2008-03-05 22:52:12
.
2008-03-04 20:56:21 --- E O F ---  



---------------------------------------------------------------------------------------------------------

And here is the Online scan log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2927 (20080306)
# vers_arch_module=1.032 (20050726)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=60d1984a721e6a43909584e1c363bb9f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-06 07:47:40
# local_time=2008-03-06 01:47:40 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=172244
# found=0
# scan_time=2157

---------------------------------------------------------------------------------------------------------

And lastly a fresh HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:50 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1152319491\ee\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [url]www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us[/url]
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [4cf5a7a8] "rundll32.exe" "C:\WINDOWS\system32\ssxjwpvi.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM4fc69434] "Rundll32.exe" "C:\WINDOWS\system32\vyaqfgmb.dll",s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - [url]http://www.eset.eu/buxus/docs/OnlineScanner.cab[/url]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtele.html

--
End of file - 6227 bytes

Edited by mike_2000_17: Fixed formatting

0

Where are you?:S
(Not trying 2 rush you or anything. I just have to return this thing by tomorrow morning. It's not a huge deal if we don't finish this tonight, and I know your doing this voluntarily so it is still appreciated. I have to go for a few hours, but will be back on later tonight. hopefully we are close?)

0

Where are you?:S
(Not trying 2 rush you or anything. I just have to return this thing by tomorrow morning. It's not a huge deal if we don't finish this tonight, and I know your doing this voluntarily so it is still appreciated. I have to go for a few hours, but will be back on later tonight. hopefully we are close?)

Hi Bobby,

Most days I really don't have much free time to devote to forums until after 7PM EST.

Looks like we are almost done, though my registry fixes didn't take via ComboFix. Probably blocked by one of the anti-spy tools. I should've used a switch to kill them. No worries, we'll try again "old school."
Most of the stuff left to deal with are the malware prevented from running via msconfig (and the Trend Micro and McAfee remnants). I would imagine all the actual malware files are gone, but in the interest of thoroughness I'd like to do the following:

-- Download BobbyFix.reg to your Desktop.
-- DoubleClick on BobbyFix.reg and follow the prompt to Allow it to merge into the registry

Then, you'll need to use Windows explorer to navigate to and DELETE any of the following, if they should remain:

C:\WINDOWS\system32\alvxqeif.dll
C:\WINDOWS\system32\bqdst.dll
C:\WINDOWS\system32\rrvfhlv.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2006
C:\Program Files\Common Files\?ystem\w?aclt.exe --> The ? can be any character. You should probably remove the C:\Program Files\Common Files\?ystem Folder.
C:\Program Files\Trend Micro
C:\WINDOWS\system32\uloifjyv.dll
C:\Program Files\Web Buying
C:\windows\system32\lldsregq.exe
C:\WINDOWS\system32\ssxjwpvi.dll
C:\WINDOWS\system32\vyaqfgmb.dll

I doubt any remain, but we should check to be sure. You'll need to Enable the Viewing of Hidden Files before searching for these.

After that, reboot and run me a final ComboFix scan.
Will try to check back later tonight.

Best :)
PP

0

Wonderfull :) I just got your notes and am taking the unit home to follow through. I'll have that log posted by 10:30 hopefully

0

Well, guess I took a bit longer to get this posted than I originally thought. Of the files you had me look for, I ran searches and only about 2 of them actually existed, though not in the folder you listed - both had been quaranteened by the online scan. There was alvxqeif.dll.bac_a01172 in the folder C:\Documents and Settings\TiFF\.housecall6.6\Quarantine
The other file was
ssxjwpvi.dll.bac_a01172
In the same folder

Anyway here is the final combofix scan log. Also good news is I just noticed that the two error messages that I had been getting at bootup are gone:icon_cheesygrin:

ComboFix 08-03-05.1 - TiFF 2008-03-06 21:50:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -6:00]
Running from: C:\Documents and Settings\TiFF\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-06 21:38 . 2004-08-10 04:00 388,608 --a------ C:\CF17435.exe
2008-03-06 14:04 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-06 14:01 . 2008-03-06 14:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-06 12:51 . 2008-03-06 13:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-05 16:20 . 2008-03-05 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-05 16:20 . 2008-03-05 16:20 <DIR> d-------- C:\Documents and Settings\TiFF\Application Data\Malwarebytes
2008-03-05 16:20 . 2008-03-05 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 14:27 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-04 14:27 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-04 14:27 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-04 14:27 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-04 14:27 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-04 14:27 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-04 14:26 . 2008-03-04 14:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-04 14:26 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-04 14:26 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-04 13:58 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-04 13:50 . 2008-03-04 13:50 <DIR> d-------- C:\Program Files\CCleaner
2008-03-03 10:23 . 2008-03-03 10:23 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-01 12:24 . 2008-03-03 11:19 <DIR> d-------- C:\VundoFix Backups
2008-03-01 11:03 . 2008-03-03 17:04 <DIR> d-------- C:\Documents and Settings\TiFF\.housecall6.6
2008-02-29 14:42 . 2008-02-29 14:42 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-29 14:31 . 2008-03-06 14:06 <DIR> d-------- C:\HJT
2008-02-29 14:25 . 2008-02-29 14:25 <DIR> d-------- C:\Documents and Settings\TiFF\Application Data\Grisoft
2008-02-29 14:25 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-29 14:24 . 2008-02-29 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-27 16:09 . 2008-02-27 16:09 <DIR> d-------- C:\Program Files\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR> d-------- C:\Documents and Settings\TiFF\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-27 16:09 . 2008-02-27 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-27 16:09 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-27 16:09 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-27 16:09 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-27 16:09 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-27 16:09 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-27 16:06 . 2008-02-27 16:06 164 --a------ C:\install.dat
2008-02-26 14:11 . 2008-02-26 13:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-26 14:11 . 2008-02-26 14:11 2,542 --a------ C:\WINDOWS\unins000.dat
2008-02-26 13:23 . 2008-02-26 13:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 20:03 --------- d-----w C:\Program Files\Java
2008-03-06 18:12 --------- d-----w C:\Program Files\Viewpoint
2008-03-06 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-06 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-03-04 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:00 --------- d-----w C:\Program Files\DIGStream
2008-02-29 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 20:17 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-29 20:17 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-29 20:17 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-05-07 18:21 88 -csh--r C:\WINDOWS\system32\ECA4C9D3B0.sys
2007-05-07 18:21 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_16.51.47.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 07:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 07:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2008-03-07 03:43:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_700.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-04-20 11:10 50792]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rtele.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TiFF^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\TiFF\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 C:\Program Files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 13:58 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-29 15:01 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-04-20 11:10 50792 C:\Program Files\Common Files\AOL\1152319491\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 10:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2005-12-28 10:55 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a--c--- 2006-02-17 10:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 09:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a--c--- 2006-08-30 11:46 183367 C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-29 14:54 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 15:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-10 04:00 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 10:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MDM"=2 (0x2)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152319491\\ee\\aim6.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 03:46:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 21:52:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-06 21:52:54
ComboFix-quarantined-files.txt 2008-03-07 03:52:51
ComboFix2.txt 2008-03-06 18:26:45
ComboFix3.txt 2008-03-05 22:52:12
.
2008-03-06 21:30:28 --- E O F ---

0

Well, guess I took a bit longer to get this posted than I originally thought. Of the files you had me look for, I ran searches and only about 2 of them actually existed, though not in the folder you listed - both had been quaranteened by the online scan. There was alvxqeif.dll.bac_a01172 in the folder C:\Documents and Settings\TiFF\.housecall6.6\Quarantine
The other file was
ssxjwpvi.dll.bac_a01172
In the same folder

You can delete that Quarantine folder if you so desire.

Likewise, these can be removed:
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Anyway here is the final combofix scan log. Also good news is I just noticed that the two error messages that I had been getting at bootup are gone:icon_cheesygrin:

Everything looks OK to me, Bobby. :)

-- The registry fix "took" this time. The machine is not trying to load those non-existent malware at startup any more.
-- You may want to look into some of the options for controlling unwanted Startups in the linky I posted earlier, but that is entirely up to you.

Have a look at my "Protect Yourself" linky below and definitely install Spyware Blaster as I recommend.


If everything is running as it should, please mark this thread Solved!

Cheers :)
PP

0

Hey Bobby,

I just remembered that I forgot to have you remove ComboFix.

No worries if you don't see this before you've returned the machine or if you've already removed ComboFix.

If you do see this in time, please do this:
• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run box. (be sure there is a space between the x and the / if you type it)
• Click OK


That ought to wrap things up!

PP :)

0

Alls well that ends well. Computer clean and delivered. PhilliePhan you are a scholar and a gentleman, assuming you are a male of course:?: . You will forever have my gratitude and if ever there were a way I could repay the favor let me know. I must say that this was quite a learning experience in the ways of virus and spyware removal; till now my solution has always been a backup and a reload. It certainly seems the easier of the two roads, although sometimes potential loss of certain programs dismisses that choice. All I ask now is if you have any links or recommendations as to how I might go about learning to do what you did?

0

PhilliePhan you are a scholar and a gentleman. . . You will forever have my gratitude and if ever there were a way I could repay the favor let me know.

Thanks for the good word, Bobby!
A number of sites I frequent ask for donations to keep them up and running - but what they really need are more trained and eager volunteers to help with the flood of infected computers. I'd be happy if you just "pay it forward" and do a good turn for somebody else down the road. :)

I must say that this was quite a learning experience . . . .All I ask now is if you have any links or recommendations as to how I might go about learning to do what you did?

A malware infestation is always a learning experience!

I am pretty much self-taught. Been doing this in my free time for about 5 years now - since about the time I got infected with a really nasty piece of malware. I did not know forums such as this existed then, and I ended up cleaning it myself - took a good week, LOL!
I probably should have just wiped the hard drive and reinstalled - that is and will always be the ONLY way to be sure you are completely clean. Especially with all the rootkits we see these days....

There are a number of places to learn about killing malware. Here are a few:
http://www.geekstogo.com/forum/Would-like-to-learn-to-fight-malware-t4817.html
http://www.malwareremoval.com/forum/viewtopic.php?t=233

I am not sure how they go about teaching - when I started, HJT was in it's infancy and we ripped the malware out by hand . . . kicking and screaming all the way!

These days, tools such as ComboFix, SDFix, smitfraudfix and others are really Godsends for the overcrowded forums. But, for volunteers (at least for me) it can get old when you copy and paste the same instructions over and over....


-- You can always feel free to PM me with questions about malware. If I am not here, you can find me at www.spywarewarrior.com and www.iamnotageek.com on a regular basis.


Best :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.