Hi All - this is where I was told by support to post to get help. I got slammed by a Trojandownloader over the weekend. Settings I thought were set weren't etc..long story. But I had the free version of LavaSoft ran it. It found the viruses etc, and could delete all but three. Wouldn't even quarantine them. So I uploaded the Plus version yesterday. I have been trying to run a scan. In regular mode, the scan starts, gets in about 10 or 15 files and feezes with a "fatal error" and shuts me down. So it was advised that I rn in safemode. In samode when I try to run I get this error -
Exception EAccessViolation in Module Ad-Aware2007.exe at 001C852C Access violation at address 005C852C in module 'Ad-Aware2007.exe'.Read of address 00000414

While I know this is only an anning problem that keeps locking up my internet, I want rid of it. The person in support suggested someone here could walk me through removing it manually.

Thanks in advance everyone!

Hi Andi,

Ad-aware probably won't run properly because of the trojan that already infected the machine. Let's see if we can get some diagnostics going here to get rid of the difficult malware you have encountered.

* Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks SO much -
Here is the notepad info after the scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:20 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [5870b7aa] rundll32.exe "C:\WINDOWS\system32\amrnwvfq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174997891529
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.scrapbookpictures.com/ImageUploader4.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD21157F-8781-46EA-9EA1-7BB72071B9A7}: NameServer = 66.109.229.5,66.109.229.6
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7304 bytes

Ok, thanks. This looks like Vundo - maybe more.

Let's start with these tools please.

1. Please download
VundoFix.exe
and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files,
  click YES
• Once you click yes, your desktop will go blank as it starts removing
  Vundo.
• When completed, it will prompt that it will reboot your computer,
  click OK.
• Please post the contents of C:\vundofix.txt
  
  Next, run this free tool please and post the log it makes also:
  2. Download ComboFix and save it to your desktop.
  
  **Note: It is important that it is saved directly to your desktop**
  
  1. Close any open browsers.
  
  2. Double click on combofix.exe & follow the prompts.
  [list]When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

ok

Here is the text from Vundoo....off to download the other program now...


VundoFix V6.7.0

Checking Java version...

Scan started at 8:21:48 PM 12/3/2007

Listing files found while scanning....

C:\windows\SYSTEM32\emgmcqvo.exe
C:\windows\SYSTEM32\eykvehgb.dll
C:\windows\SYSTEM32\fsgomuqx.exe
C:\WINDOWS\system32\wfabsgub.dll
C:\windows\SYSTEM32\wfabsgub.dllbox
C:\windows\SYSTEM32\xiuqkkfi.exe
C:\windows\SYSTEM32\xpoyvrpe.exe

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\emgmcqvo.exe
C:\windows\SYSTEM32\emgmcqvo.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\eykvehgb.dll
C:\windows\SYSTEM32\eykvehgb.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\fsgomuqx.exe
C:\windows\SYSTEM32\fsgomuqx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wfabsgub.dll
C:\WINDOWS\system32\wfabsgub.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\wfabsgub.dllbox
C:\windows\SYSTEM32\wfabsgub.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\xiuqkkfi.exe
C:\windows\SYSTEM32\xiuqkkfi.exe Has been deleted!

Attempting to delete C:\windows\SYSTEM32\xpoyvrpe.exe
C:\windows\SYSTEM32\xpoyvrpe.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\xpoyvrpe.exe
C:\windows\SYSTEM32\xpoyvrpe.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 4:21:23 PM 12/11/2007

Listing files found while scanning....

And here is the combo fix text...I have no idea yet how things are running, but will say IE took forever to load to come here...not sure if that is good or bad...

ComboFix 07-12-12.3 - Andrea 2007-12-11 18:31:57.1 - NTFSx86
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware337
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Error.xml
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware337\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware337\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware337\U0B8FB654.exe
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Andrea\Application Data\Starware337
C:\Documents and Settings\Andrea\Application Data\Starware337\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Games\GamesOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Games\GamesOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Games\images\active\Games0.bmp
C:\Documents and Settings\Andrea\Application Data\Starware337\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Manager\ManagerOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Andrea\Application Data\Starware337\Movies\MoviesOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Recipes\RecipesOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Recipes\RecipesOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Reference\ReferenceOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Andrea\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Andrea\Application Data\Starware337\Weather\AlertArchive.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Weather\WeatherOptions.xml
C:\Documents and Settings\Andrea\Application Data\Starware337\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Andrea\Favorites\Online Security Guide.lnk
C:\Program Files\Starware337
C:\Program Files\Starware337\bin\Starware337.dll
C:\Program Files\Starware337\brand.bmp
C:\Program Files\Starware337\icons\star_16.ico
C:\Program Files\Starware337\Starware337Config.xml
C:\Program Files\Starware337\Starware337Uninstall.exe
C:\Temp\bkR11
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\amrnwvfq.dll
C:\WINDOWS\system32\aorrnmdl.dll
C:\WINDOWS\system32\apkonyds.exe
C:\WINDOWS\system32\avrfpwxg.dll
C:\WINDOWS\system32\cnbxsygo.dll
C:\WINDOWS\SYSTEM32\cwtsffne.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\egjlm.ini
C:\WINDOWS\SYSTEM32\egjlm.ini2
C:\WINDOWS\system32\enffstwc.dll
C:\WINDOWS\system32\hjnsdjjx.dll
C:\WINDOWS\SYSTEM32\ioqcrcqt.ini
C:\WINDOWS\system32\iuinclul.dll
C:\WINDOWS\system32\laqbulax.exe
C:\WINDOWS\SYSTEM32\lulcniui.ini
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pcvoffjy.dll
C:\WINDOWS\system32\pmnljii.dll
C:\WINDOWS\system32\pnkoyoie.dll
C:\WINDOWS\SYSTEM32\qfvwnrma.ini
C:\WINDOWS\system32\rqropmn.dll
C:\WINDOWS\system32\sagpcfxf.exe
C:\WINDOWS\system32\skpddnxh.dll
C:\WINDOWS\system32\ssqqrsr.dll
C:\WINDOWS\system32\tjwotxmh.dll
C:\WINDOWS\system32\tqcrcqoi.dll
C:\WINDOWS\system32\uscnunus.dll
C:\WINDOWS\system32\whfhwsdx.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 20:12 . <DIR> C:\WINDOWS\LastGood.Tmp
2007-12-11 16:21 . 2007-12-12 21:42 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-10 22:34 . 2007-12-10 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 21:30 . 2007-12-10 21:31 858,884 --ahs---- C:\WINDOWS\SYSTEM32\nxsujbkb.ini
2007-12-08 13:52 . 2007-12-08 13:52 294 --ahs---- C:\WINDOWS\SYSTEM32\qxjuivqa.ini
2007-12-05 22:11 . 2007-12-06 22:45 832,610 --ahs---- C:\WINDOWS\SYSTEM32\niduaqws.ini
2007-12-05 07:11 . 2007-12-05 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 07:10 . 2007-12-05 07:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 20:56 . 2007-12-05 22:10 806,242 --ahs---- C:\WINDOWS\SYSTEM32\ycpxxkvo.ini
2007-12-03 23:13 . 2007-12-03 23:13 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-12-03 20:21 . 2007-12-03 23:13 <DIR> d-------- C:\VundoFix Backups
2007-12-02 21:00 . 2007-12-03 19:59 793,751 --ahs---- C:\WINDOWS\SYSTEM32\meimxjbx.ini
2007-12-02 19:23 . 2007-12-08 14:14 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-02 16:47 . 2007-12-02 16:47 793,664 --ahs---- C:\WINDOWS\SYSTEM32\waudftwk.tmp
2007-12-02 16:47 . 2007-12-02 16:47 793,664 --ahs---- C:\WINDOWS\SYSTEM32\waudftwk.ini
2007-12-02 16:24 . 2007-12-02 16:33 3,498 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-02 00:30 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-02 00:30 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-02 00:30 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-02 00:30 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-02 00:30 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-29 21:52 . 2007-11-29 21:52 35,840 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-11-29 21:50 . 2007-11-29 21:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo01
2007-11-29 21:50 . 2007-12-12 19:01 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-11 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 02:41 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-07 03:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-05 12:12 --------- d-----w C:\Program Files\Lavasoft
2007-11-30 17:57 --------- d-----w C:\Program Files\Broderbund
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 14:30 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AdobeUM
2007-10-15 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-10-15 22:53 --------- d-----w C:\Program Files\EPSON
2007-10-15 16:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-10 03:57 142,864 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2005-03-02 18:04 34,916 ----a-w C:\WINDOWS\Fonts\addict.zip
2005-03-02 18:04 33,197 ----a-w C:\WINDOWS\Fonts\adler.zip
2005-03-02 18:01 34,254 ----a-w C:\WINDOWS\Fonts\aidancing.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18e8e412-dc74-4b87-b019-5ba3793912e3}]
C:\WINDOWS\system32\avrfpwxg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F3C619-0377-4D04-8D92-18F028CAFFD1}]
C:\WINDOWS\system32\mljge.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Insider"="C:\Program Files\Insider\Insider.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-09 00:17]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"5870b7aa"="C:\WINDOWS\system32\amrnwvfq.dll" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnljii]
pmnljii.dll

S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 12:21:54 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Andrea.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 22:20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-12 22:33:48 - machine was rebooted
.
2007-12-11 22:11:16 --- E O F ---

And the most recent HiJack this log....
PLEASE tell me all is well now!?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:26 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - HA
49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - xA
runsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - ¨

(B
6-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - ÈA
38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - ˆB
¨

9-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - ˜A
3D70E-1895-11CF-8E15-001234567890} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174997891529
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.scrapbookpictures.com/ImageUploader4.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD21157F-8781-46EA-9EA1-7BB72071B9A7}: NameServer = 66.109.229.5,66.109.229.6
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8044 bytes

Well, no we are making progress but certainly not done yet. Those reports show signs that you also have had a backdoor trojan onboard in addition to the suspected Vundo, so we've a bit more work to do as these tools don't cover the same multi-mix of nasties you had there. This is more than just a spyware infection, so we need to clear that backdoor trojan first since it is much more dangerous, and then we'll come back to the remainder needed on the Vundo infection.

1. Open HijackThis and do a *system scan only*

When it finishes, place a checkmark next to these entries and then press the *fix checked* button

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - HA
49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - xA
runsDisabled - (no file)

O2 - BHO: (no name) - ¨

(B
6-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O2 - BHO: (no name) - ÈA
38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)

O2 - BHO: (no name) - ˆB
¨

9-679B-4b4c-8E49-5AF97014F4C1} - (no file)

O2 - BHO: (no name) - ˜A
3D70E-1895-11CF-8E15-001234567890} - (no file)

O4 - Global Startup: AutorunsDisabled

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

After pressing the *fix checked* button you can close HijackThis and proceed to step 2 below:

................
2. SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back here please

..............................
3. Next step: need to get a full system scan for any trojan or virus infection remaining. This is a free online AV scan that should catch what I'm looking for.

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log

..............
Please also scan once more with ComboFix and post a new log from it too so I can see what else is remaining to be done.

Here is the SDFix log - I am off to run the AV scan now...

SDFix: Version 1.118

Run by Andrea on Thu 12/13/2007 at 03:55 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 16:14:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 2 Dec 2007 793,664 A.SH. --- "C:\WINDOWS\SYSTEM32\waudftwk.tmp"
Mon 26 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 29 Nov 2007 41,723 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133498.exe"
Mon 19 Nov 2007 145,920 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133499.exe"
Mon 28 Mar 2005 23,552 A..H. --- "C:\Documents and Settings\Andrea\My Documents\CropForACure\~WRL0005.tmp"
Sat 24 Jan 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sat 24 Jan 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sat 7 Oct 2006 130,048 ...H. --- "C:\Documents and Settings\Andrea\Application Data\Microsoft\Templates\~WRL3736.tmp"
Thu 8 Apr 2004 24,576 A..H. --- "C:\Documents and Settings\Andrea\My Documents\My stuff\Andi's Word Documents\~WRL0001.tmp"
Mon 26 Dec 2005 4,348 ...H. --- "C:\Documents and Settings\Andrea\Application Data\Real\Rhapsody\wmlicbackup\drmv1key.bak"
Mon 26 Dec 2005 20 A..H. --- "C:\Documents and Settings\Andrea\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Thu 3 Mar 2005 312 A.SH. --- "C:\Documents and Settings\Andrea\Application Data\Real\Rhapsody\wmlicbackup\drmv2key.bak"

Finished!

Ok, good

I'll wait for the eset scan log.

Five hours later here is the Eset log - took out 57 more files! Man oh man..off to run COmbo fix and Hijack this again....

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2720 (20071212)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ef73c38dbc340f44aea0efc8d1cd6df3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-14 06:27:53
# local_time=2007-12-14 01:27:53 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=224780
# found=57
# scan_time=17165
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Program Files\Starware337\bin\Starware337.dll.vir probably a variant of Win32/Adware.Agent application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\amrnwvfq.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\apkonyds.exe.vir Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cnbxsygo.dll.vir Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\enffstwc.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\iuinclul.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\laqbulax.exe.vir Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\sagpcfxf.exe.vir Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\tqcrcqoi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\whfhwsdx.exe.vir Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups\backups.zip Win32/TrojanDownloader.Agent.BLS trojan (deleted) 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/mrofinu572.exe.tmp Win32/TrojanDownloader.Agent.BLS trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A0116198.exe Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1019\A0122200.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124225.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124226.dll Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124227.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124228.dll Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124229.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124230.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1020\A0124236.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1021\A0124284.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1021\A0124294.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0128427.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0130452.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0131460.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133492.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133493.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133494.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133495.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133499.exe a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1024\A0133504.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133542.exe Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133544.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133545.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133547.exe Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133548.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133549.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133550.exe Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133551.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133554.dll Win32/BHO.G trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133555.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133557.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133564.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1026\A0133571.dll probably a variant of Win32/Adware.Agent application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1028\A0133810.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\emgmcqvo.exe.bad Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\eykvehgb.dll.bad Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\fsgomuqx.exe.bad Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\wfabsgub.dll.bad Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\xiuqkkfi.exe.bad Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\xpoyvrpe.exe.bad Win32/TrojanDownloader.Tiny.ID trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\daSgo01\daSgo011065.exe a variant of Win32/TrojanDownloader.VB.AW trojan (unable to clean - deleted) 00000000000000000000000000000000

Hijackthis log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:15 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174997891529
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.scrapbookpictures.com/ImageUploader4.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD21157F-8781-46EA-9EA1-7BB72071B9A7}: NameServer = 66.109.229.5,66.109.229.6
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7059 bytes

And ComboFix text

ComboFix 07-12-12.3 - Andrea 2007-12-14 1:53:45.2 - NTFSx86
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-13 20:39 . 2007-12-14 01:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-13 15:53 . 2007-12-13 15:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-11 16:21 . 2007-12-12 23:28 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-10 22:34 . 2007-12-10 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 21:30 . 2007-12-10 21:31 858,884 --ahs---- C:\WINDOWS\SYSTEM32\nxsujbkb.ini
2007-12-08 13:52 . 2007-12-08 13:52 294 --ahs---- C:\WINDOWS\SYSTEM32\qxjuivqa.ini
2007-12-05 22:11 . 2007-12-06 22:45 832,610 --ahs---- C:\WINDOWS\SYSTEM32\niduaqws.ini
2007-12-05 07:11 . 2007-12-05 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 07:10 . 2007-12-05 07:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 20:56 . 2007-12-05 22:10 806,242 --ahs---- C:\WINDOWS\SYSTEM32\ycpxxkvo.ini
2007-12-03 23:13 . 2007-12-03 23:13 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-12-03 20:21 . 2007-12-13 23:39 <DIR> d-------- C:\VundoFix Backups
2007-12-02 21:00 . 2007-12-03 19:59 793,751 --ahs---- C:\WINDOWS\SYSTEM32\meimxjbx.ini
2007-12-02 19:23 . 2007-12-08 14:14 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-02 16:47 . 2007-12-02 16:47 793,664 --ahs---- C:\WINDOWS\SYSTEM32\waudftwk.tmp
2007-12-02 16:47 . 2007-12-02 16:47 793,664 --ahs---- C:\WINDOWS\SYSTEM32\waudftwk.ini
2007-12-02 16:24 . 2007-12-02 16:33 3,498 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-02 00:30 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-02 00:30 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-02 00:30 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-02 00:30 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-02 00:30 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-29 21:50 . 2007-12-14 01:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo01
2007-11-29 21:50 . 2007-12-12 19:01 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 07:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-14 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-11 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 02:41 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-05 12:12 --------- d-----w C:\Program Files\Lavasoft
2007-11-30 17:57 --------- d-----w C:\Program Files\Broderbund
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 14:30 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AdobeUM
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-15 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-10-15 22:53 --------- d-----w C:\Program Files\EPSON
2007-10-15 16:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-07-10 03:57 142,864 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2005-03-02 18:04 34,916 ----a-w C:\WINDOWS\Fonts\addict.zip
2005-03-02 18:04 33,197 ----a-w C:\WINDOWS\Fonts\adler.zip
2005-03-02 18:01 34,254 ----a-w C:\WINDOWS\Fonts\aidancing.zip
.

((((((((((((((((((((((((((((( snapshot@2007-12-12_22.26.47.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 02:15:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-13 20:54:04 8,581,120 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-13 20:54:04 28,672 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-12 02:15:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-13 20:53:39 8,581,120 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-12-13 20:53:39 28,672 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-03-06 01:22:34 22,752 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spcustom.dll
+ 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:59 716,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\update.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\updspapi.dll
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\SYSTEM32\advpack.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\SYSTEM32\icardie.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\SYSTEM32\ieapfltr.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\SYSTEM32\ieframe.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil.dll
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\SYSTEM32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\SYSTEM32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\SYSTEM32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-09 00:17]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]

S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 12:21:54 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Andrea.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 02:03:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 2:10:59
C:\ComboFix2.txt ... 2007-12-12 22:33
.
2007-12-13 04:30:00 --- E O F ---

Excellent! We're on the home stretch now

I think that has now eliminated all active infections so there is only some minor junk files left to clean up. Do this step next:

Open notepad and copy/paste the text you see in the whitespace of the quotebox below into it (but not the word: quote)
(Don't use any other texteditor than notepad or the script will fail.)



Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"


Reminder:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Here is the Combofix text -
ComboFix 07-12-12.3 - Andrea 2007-12-14 12:09:51.3 - NTFSx86
Running from: C:\Documents and Settings\Andrea\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrea\Desktop\CFScript.txt

FILE
C:\WINDOWS\SYSTEM32\meimxjbx.ini
C:\WINDOWS\SYSTEM32\niduaqws.ini
C:\WINDOWS\SYSTEM32\nxsujbkb.ini
C:\WINDOWS\SYSTEM32\qxjuivqa.ini
C:\WINDOWS\SYSTEM32\waudftwk.ini
C:\WINDOWS\SYSTEM32\waudftwk.tmp
C:\WINDOWS\SYSTEM32\ycpxxkvo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\daSgo01
C:\WINDOWS\SYSTEM32\meimxjbx.ini
C:\WINDOWS\SYSTEM32\niduaqws.ini
C:\WINDOWS\SYSTEM32\nxsujbkb.ini
C:\WINDOWS\SYSTEM32\qxjuivqa.ini
C:\WINDOWS\SYSTEM32\waudftwk.ini
C:\WINDOWS\SYSTEM32\waudftwk.tmp
C:\WINDOWS\SYSTEM32\ycpxxkvo.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-13 20:39 . 2007-12-14 01:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-13 15:53 . 2007-12-13 15:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-11 16:21 . 2007-12-12 23:28 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-10 22:34 . 2007-12-10 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-05 07:11 . 2007-12-05 07:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 07:10 . 2007-12-05 07:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 23:13 . 2007-12-03 23:13 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-12-03 20:21 . 2007-12-13 23:39 <DIR> d-------- C:\VundoFix Backups
2007-12-02 19:23 . 2007-12-08 14:14 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-02 16:24 . 2007-12-02 16:33 3,498 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-02 00:30 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-02 00:30 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-02 00:30 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-02 00:30 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-02 00:30 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-11-29 21:50 . 2007-12-12 19:01 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-14 07:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-11 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 02:41 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-05 12:12 --------- d-----w C:\Program Files\Lavasoft
2007-11-30 17:57 --------- d-----w C:\Program Files\Broderbund
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 14:30 --------- d-----w C:\Documents and Settings\Andrea\Application Data\AdobeUM
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-15 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2007-10-15 22:53 --------- d-----w C:\Program Files\EPSON
2007-10-15 16:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-07-10 03:57 142,864 ----a-w C:\Documents and Settings\Andrea\Application Data\GDIPFONTCACHEV1.DAT
2005-03-02 18:04 34,916 ----a-w C:\WINDOWS\Fonts\addict.zip
2005-03-02 18:04 33,197 ----a-w C:\WINDOWS\Fonts\adler.zip
2005-03-02 18:01 34,254 ----a-w C:\WINDOWS\Fonts\aidancing.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 02:04]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-09 00:17]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]

S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys
S3 WRSWanDD;iVasion PoET Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 12:21:54 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Andrea.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 12:17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-14 12:22:27
C:\ComboFix2.txt ... 2007-12-14 02:11
C:\ComboFix3.txt ... 2007-12-12 22:33
.
2007-12-13 04:30:00 --- E O F ---

Looks good I think we are done here.

Some final cleanup and prevention recommendations follow.

You can go ahead and delete any special tools we used (VundoFix, SDFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.
You can also delete the folders they made (those were the quarantined of infected files they found)

C:\qoobox
C:\SDFix\backups
C:\VundoFix Backups


..................
Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................
Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.


Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.

Thank you SO much! I can not say how much! I *thought * I was protected.

I am running AdWatchnow - is that good too? We have a Norton FIrewall etc as well....

HOPEFULLY I will never have to do this again!

You're quite welcome! Glad we could help

And yes, you can have both Ad-Watch and Norton are good. Ad-Watch being your Antispyware protection and Norton is your Antivirus. In our Spyware Education Center, our first recommendation is:

In addition to having an anti-spyware solution like Ad-Aware, make sure to have anti-virus, anti-spam and firewall software and always have Windows auto-update turned on, if you are on a Windows operating system.

For more tips on how to protect yourself that page is here:
How to Protect Yourself
http://www.lavasoft.com/support/spywareedu...ct_yourself.php

Be mindful always that these days, new malware is being released daily at a phenomenal rate. Those software solutions can only protect you from the known pests so for added safety choose your downloads carefully and what out that you don't have a shared computer with all users running as Admin (your children, for instance, should probably have limited user accounts). Use our Protection Tips and advice and you'll have a safer, happier, computing experience.