I bought the Adaware SE PLUS and ran a scan. I deleted all that it found and even deleted the archives but everytime I go on the internet, pages I don't ask for keep poppig up. I ran Spybot and it said there was Smitfraud-c.toolbar888 in the computer; deleted it and it came back. My Kaspersky also finds adware and any viruses. There is an abnormal amount of adware in there and 2 trojans that I keep deleting. Here is a copy of my detected list from Kaspersky.

detected: riskware Invader Running process: C:\WINDOWS\system32\winlogon.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\rundll32.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ir File: c:\windows\system32\edyehkbt.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.hb URL: http://82.98.235.61/ffa/boombox20070425.dl...21C2A5D2BA3D78C
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ir URL: http://82.98.235.61/nauj/nauj_20070426.dll...21C2A5D2BA3D78C
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ir File: C:\System Volume Information\_restore{A1B7EF41-FEF0-45A3-961C-94F744650990}\RP120\A0015513.dll
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: G:\System Volume Information\_restore{A1B7EF41-FEF0-45A3-961C-94F744650990}\RP45\A0006313.exe//WiseSFX Dropper//WISE0017.BIN
deleted: adware not-a-virus:AdWare.Win32.Relevant.a File: G:\System Volume Information\_restore{A1B7EF41-FEF0-45A3-961C-94F744650990}\RP45\A0006313.exe//WiseSFX Dropper//WISE0024.BIN
deleted: Trojan program Trojan-Spy.Win32.VBStat.h File: C:\WINDOWS\system32\kgjhvvpw.dll
deleted: Trojan program Trojan-Dropper.Win32.Agent.bhc File: C:\WINDOWS\system32\WinFlyer32.dll
deleted: adware not-a-virus:AdWare.Win32.WinAD.a File: G:\My Documents G\Overnet Incoming\incoming\incoming\Cinema Craft Encoder (CCE-SP) v2.62.ShareReactor.rar/cce225.zip/cctsp_patch.exe//UPX
detected: riskware Invader Running process: C:\Program Files\Spyware Doctor\swdsvc.exe
detected: riskware Invader Running process: C:\Documents and Settings\Administrator\Local Settings\Temp\is-URJTC.tmp\is-U6A21.tmp
detected: riskware Invader Running process: C:\WINDOWS\system32\cmd.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\net.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\services.exe
detected: riskware Invader Running process: C:\WINDOWS\Explorer.EXE
detected: riskware Invader Running process: C:\Program Files\Spyware Doctor\SDTrayApp.exe
detected: riskware Invader Running process: C:\Program Files\Spyware Doctor\sdloader.exe
detected: riskware Invader Running process: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
detected: riskware Invader Running process: C:\Program Files\Spyware Doctor\swdoctor.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\nvsvc32.exe
detected: riskware Invader Running process: C:\WINDOWS\system32\svchost.exe
detected: riskware Invader Running process: C:\WINDOWS\System32\svchost.exe
detected: riskware Invader Running process: C:\Program Files\Spyware Doctor\unins000.exe
detected: riskware Invader Running process: C:\Documents and Settings\Administrator\Local Settings\Temp\_iu14D2N.tmp

Would you please help me clean this mess up?

Thanks,
Nanny

BTW, I downloaded the Spyware Doctor and did not like it so I uninstalled it. I see it is trying to do something in these files? Is it still in my computer somewhere?

i don't think that this is a good place to get help with cleaning your computer.. yes, you have some problems.. on the other hand, your kaspersky scan-log looks like it is also flagging a lot of legitimate files, maybe because malware is "hooking" into them, and it would not be good for those ligitimate files to be removed.. or, it could be some "false-positives"..

you do have some "spyware doctor" files left on your computer, so it looks like it did not properly uninstall, for whatever reason, but don't worry about that, now..

for one thing, you have a "virtumonde", or "vundo", infection, and, apparently it is the new variant that a lot of people have been getting, lately, which uses a rootkit and "hooks" into your "winlogon".. and that is why your antimalare programs are not able to remove the infection..

here is a webpage with some info about removing the "vundo" infection:

http://wiki.castlecops.com/Malware_Removal:_Virtumundo

i think you also should try installing the "superantispyware" program.. it will remove some stuff, but it might not be able to remove the "vundo" rootkit infection.. you might need some help from an "expert", for that.. i don't mean that you need to take your computer to an "expert" in a shop, but help from an "expert" in one of the forums, on the internet..

here is the link for "superantispyware"..

http://www.superantispyware.com/

there also is a "superantispyware forum" where you can get help..

you also can get help in this forum:

http://www.dslreports.com/forum/cleanup

there are other forums where you could get help with removing malware from your computer.. those are just two of them that i am familiar with..

Whoa! Hold on! Of course we help with malware removal! Take a look around redwolfe and you find plenty of help being offered in the "Help! I've been infected forums". In fact, I'll move this topic over there and see what we can do.

@ Redwolfe98 - I you think might recognize me and perhaps did not know I am at this forum helping users, along with some pretty great volunteer security advisors.
.......................................

@Nanny,

Hello and welcome.

Could you please post the following so we can analyze your system and proceed with helping you to get this computer cleaned up.

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

If you still need help we need two things:

1. Your Adaware Scan log with the latest reference file update.
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
...............
2. A diagnostic log from this free tool called HijackThis
Instructions on creating a HijackThis Log
http://www.lavasoftsupport.com/index.php?showtopic=216

Oh Thank Goodness LS Calamity Jane.

I could really use some help.

I delete my quarantine after running Adaware but I have tried a few things. I downloaded SUPERantispyware, CCleaner, FSBL Blacklight, SFfix, VundoFix and finally RegCure. I have run all of them and the malware is still there. I do have HiJackThis so I will attach a log for you.

I would appreciate any help you can give me.

Thanks,
Nnanny

I have deleted these files over and over again and they keep coming back. With some new weird ones eah time!

O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\htofxagl.dll
O2 - BHO: (no name) - {EA2676C3-712F-4377-8A0C-6853017D2505} - C:\WINDOWS\system32\vtsqn.dll
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pimuimdj.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (I don't think this one is bad but I delete it anyway)
O20 - Winlogon Notify: pmnlmkh - C:\WINDOWS\SYSTEM32\pmnlmkh.dll
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll

I will also attach a copy of my Kaspersky Log as well.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:47:56 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sk.sympatico.ca/portal/site/pc-saskatchewan
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\htofxagl.dll
O2 - BHO: (no name) - {EA2676C3-712F-4377-8A0C-6853017D2505} - C:\WINDOWS\system32\vtsqn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pimuimdj.dll",realset
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: pmnlmkh - C:\WINDOWS\SYSTEM32\pmnlmkh.dll
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5517 bytes

Kaspersky

detected: riskware Invader Running process: C:\WINDOWS\system32\winlogon.exe
detected: Trojan program Trojan-Spy.Win32.VBStat.h URL: http://82.98.235.61/ms_s_2.dll?uid=4CD48CC...21C2A5D2BA3D78C
detected: virus Packed.Win32.Klone.j URL: http://207.226.178.149/2mna.dll//PE_Patch.Morphine
detected: Trojan program Trojan-Spy.Win32.VBStat.h URL: http://82.98.235.61/ms_s_2.dll?uid=8A08C0F...21C2A5D2BA3D78C
deleted: Trojan program Trojan-Spy.Win32.VBStat.h File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\npdgsffy.dll
detected: riskware Invader Running process: C:\Documents and Settings\Administrator\Desktop\fsbl.exe
detected: Trojan program Trojan-Spy.Win32.VBStat.h URL: http://82.98.235.61/ms_s_2.dll?uid=3B36B1E...21C2A5D2BA3D78C
deleted: Trojan program Trojan-Spy.Win32.VBStat.h File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\skkyycbp.dll

Hi Nannny,

Download ComboFix from Here or Here and save it to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Then scan with HijackThis again to produce a new HijackThis log and post that as well please

LS CalamityJane....You are a Sweetheart! I ran the combofix and the HackThis and it looks like it took care of the problem. I don't know how to thank you! I've been struggling with this this a long time. I will post my HiJackThis log but I have already deleted the files not found from this log and rebooted twice. Then I went online and tried a few sites and no pop ups! My Kaspersky says no infection found and I'm elated! You are a lifesaver! I was just about to reformat my computer (UGG) but this took care of it. You're a genious! LOL

Thank You, Thank You, Thank You,
Nanny

Here's my latest HiJackThis log just on case you're interested.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:44:52 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sk.sympatico.ca/portal/site/pc-saskatchewan
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: (no name) - {B97000EE-E5FB-492D-93ED-D81B7DE74F32} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: (no name) - {EA2676C3-712F-4377-8A0C-6853017D2505} - C:\WINDOWS\system32\vtsqn.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: pmnlmkh - pmnlmkh.dll (file missing)
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5470 bytes

That's good to hear, only I didn't write tool but I'll be sure to pass that along to the ComboFix author (username: sUBs). He calls it is "really lousy tool" but we think it's terrific.

There is still more to do and there may be additional files needed to delete so I really need to see the ComboFix log it made too, please. It should be located on your hard-drive and is named ComboFix.txt

Please copy that back here because I need to review to add to the other things I see that still need to be fixed (even if we DID get all the active infection, I want to make sure we got all we can see and Combofix.txt will show me a wider list of things than is on the Hijackthis log)

You betcha. I think it's a wonderful tool as it is the only thing I've found that fixed my computer!

Here's the ComboFix Log:

"Administrator" - 2007-05-15 6:41:52 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dnjgvudr.dll
C:\WINDOWS\system32\exbpgpmg.dll
C:\WINDOWS\system32\htofxagl.dll
C:\WINDOWS\system32\lqgwjxjh.dll
C:\WINDOWS\system32\mkulsyod.dll
C:\WINDOWS\system32\opnklih.dll
C:\WINDOWS\system32\rbcoepxa.dll
C:\WINDOWS\system32\sxlelins.dll
C:\WINDOWS\system32\gmpgpbxe.ini
C:\WINDOWS\system32\hjxjwgql.ini
C:\WINDOWS\system32\axpeocbr.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\Desktop.\internet explorer.lnk


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 ))))))))))))))))))))))))))))))))))


2007-05-14 14:00 970,673 --ahs---- C:\WINDOWS\system32\rtstv.bak1
2007-05-14 13:12 958,324 --ahs---- C:\WINDOWS\system32\nqstv.ini2
2007-05-13 20:31 955,767 --ahs---- C:\WINDOWS\system32\nqstv.bak1
2007-05-13 19:53 <DIR> d-------- C:\Program Files\HJT
2007-05-13 17:35 <DIR> d-------- C:\Program Files\RegCure
2007-05-13 16:20 956,911 --ahs---- C:\WINDOWS\system32\jjkkj.ini2
2007-05-13 16:08 956,664 --ahs---- C:\WINDOWS\system32\jjkkj.bak1
2007-05-13 16:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-13 15:45 <DIR> d-------- C:\Program Files\CCleaner
2007-05-13 11:30 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-13 11:30 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-13 11:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-07 07:16 90,112 --a------ C:\WINDOWS\system32\lfjbg13n.dll
2007-05-07 07:16 73,728 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-05-07 07:16 453,120 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-05-07 07:16 445,440 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-05-07 07:16 388,608 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-05-07 07:16 265,216 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-05-07 07:16 246,272 --a------ C:\WINDOWS\system32\lfj2k13n.dll
2007-05-07 07:16 206,848 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-05-07 07:16 154,112 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-05-07 07:16 142,848 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-05-07 07:16 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-05-06 15:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-05 22:01 2,882 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-05 15:52 878,252 --ahs---- C:\WINDOWS\system32\pqstv.ini2
2007-05-05 15:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-05 15:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 15:44 876,768 --ahs---- C:\WINDOWS\system32\pqstv.bak1
2007-05-05 15:31 <DIR> d-------- C:\VundoFix Backups
2007-05-05 13:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-05 12:39 <DIR> d-------- C:\WINDOWS\CSC
2007-05-05 07:50 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-04 18:02 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-04 18:02 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-04 18:01 12,149,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-04 18:01 112,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-04 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-04 18:00 <DIR> d-------- C:\KAV
2007-05-04 16:47 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-04 16:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-04-29 16:28 348,160 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-04-29 16:28 <DIR> d-------- C:\Program Files\Acoustica CD Label Maker
2007-04-29 16:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acoustica
2007-04-29 16:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Acoustica
2007-04-20 20:38 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ACD Systems
2007-04-20 20:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ACD Systems
2007-04-20 20:36 <DIR> d-------- C:\Program Files\ACD Systems
2007-04-17 20:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-17 06:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Riverdeep Interactive Learning Limited
2007-04-17 06:33 970,752 --a------ C:\WINDOWS\system32\cdintf210.dll
2007-04-17 06:33 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-04-17 06:33 <DIR> d-------- C:\Program Files\Web Publish
2007-04-17 06:28 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2007-04-17 06:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Broderbund Software
2007-04-15 21:24 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 15:18:38 -------- d-----w C:\Program Files\Lavasoft
2007-04-30 00:37:03 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Roxio
2007-04-29 23:38:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-04-17 12:26:51 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-05 03:34:20 -------- d-----w C:\Program Files\Webshots
2007-03-31 21:49:58 -------- d-----w C:\Program Files\TAXWIZ 2006
2007-03-31 17:41:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-23 12:07:56 1,683,280 ----a-w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 12:07:54 583,504 ----a-w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 02:25:02 124,928 ----a-w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 18:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 18:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-12 13:12:11 55,600 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-11 19:30:20 -------- d-----w C:\Program Files\Quicken
2007-03-10 01:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-10 01:26:32 -------- d-----w C:\Program Files\MSN Messenger
2007-03-10 00:24:49 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-10 00:15:34 -------- d-----w C:\Program Files\MSBuild
2007-03-10 00:12:22 -------- d-----w C:\Program Files\Reference Assemblies
2007-03-09 01:46:46 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 23:34:41 -------- d-----w C:\Program Files\WinMX
2007-03-07 03:42:34 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-03-07 03:42:31 -------- d-----w C:\Program Files\Google
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-04-07 01:07]
{69AE0223-2CBE-4B6F-B905-C77C7734E0CB}=C:\WINDOWS\system32\pmnlmkh.dll []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-03-06 21:42]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-04-07 01:21]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll [2007-03-30 11:25]
{B97000EE-E5FB-492D-93ED-D81B7DE74F32}=C:\WINDOWS\system32\vtstr.dll []
{EA2676C3-712F-4377-8A0C-6853017D2505}=C:\WINDOWS\system32\vtsqn.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"Modem Booster"="C:\\Program Files\\inKline Global\\Modem Booster\\ModemBtr.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 23:43]
"nwiz"="nwiz.exe" [2006-08-11 23:43 C:\WINDOWS\system32\nwiz.exe])
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 23:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 05:07]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 11:19]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 01:42]
"Modem Booster"="C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe" [2005-10-10 18:58]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-01-04 15:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50]
"RegistryMechanic"="" [])

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-01 09:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 06:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{69AE0223-2CBE-4B6F-B905-C77C7734E0CB}"="C:\WINDOWS\system32\pmnlmkh.dll" []


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\
Security Packages kerberosmsv1_0schannelwdigest\
Notification Packages scecli\

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^administrator^start menu^programs^startup^webshots.lnk
C:\PROGRA~1\Webshots\Launcher.exe /t

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^acrobat assistant.lnk
C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^corel registration.lnk
C:\PROGRA~1\Corel\WORDPE~1\Register\Remind32.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^corelcentral 9.lnk
C:\PROGRA~1\Corel\WORDPE~1\programs\ccwin9.exe /NoSplash

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^corelcentral alarms.lnk
C:\PROGRA~1\Corel\WORDPE~1\programs\alarm.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^desktop application director 9.lnk
C:\PROGRA~1\Corel\WORDPE~1\programs\dad9.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^google updater.lnk
C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~1.EXE -systray -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^winzip quick pick.lnk
C:\PROGRA~1\WinZip\WZQKPICK.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\incredimail
C:\Program Files\IncrediMail\bin\IncMail.exe /c

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lexmark x73 button manager
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lexmark x73 button monitor
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxioaudiocentral
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxiodragtodisc
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\roxioengineutility
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userfaultcheck
%systemroot%\system32\dumprep 0 -u

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winflyer32.dll
"rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\
LocalService AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService DnsCache\
DcomLaunch DcomLaunchTermService\
rpcss RpcSs\
imgsvc StiSvc\
termsvcs TermService\
WudfServiceGroup WUDFSvc\

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070514-125455-738
O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll
backup-20070514-125455-287
O20 - Winlogon Notify: pmnlmkh - C:\WINDOWS\SYSTEM32\pmnlmkh.dll
backup-20070514-125455-475
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\htofxagl.dll
backup-20070514-125455-464
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070514-125455-650
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pimuimdj.dll",realset
backup-20070514-125455-255
O2 - BHO: (no name) - {EA2676C3-712F-4377-8A0C-6853017D2505} - C:\WINDOWS\system32\vtsqn.dll
backup-20070514-125455-932
O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll
backup-20070513-171447-457
O20 - Winlogon Notify: pmnlmkh - C:\WINDOWS\SYSTEM32\pmnlmkh.dll
backup-20070513-171447-821
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
backup-20070513-171446-369
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
backup-20070513-171446-713
O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll
backup-20070513-171446-194
O2 - BHO: (no name) - {A95D91DD-C5D1-44AD-BE8B-4C379198C7D7} - C:\WINDOWS\system32\jkkjj.dll (file missing)
backup-20070513-171446-974
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070513-120812-457
O20 - Winlogon Notify: pmnlmkh - C:\WINDOWS\SYSTEM32\pmnlmkh.dll
backup-20070513-120812-572
O2 - BHO: (no name) - {F54BF22D-ED85-492A-8554-E88B9A9A9BBE} - C:\WINDOWS\system32\geebc.dll (file missing)
backup-20070513-120812-568
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\mkulsyod.dll
backup-20070513-120812-799
O2 - BHO: (no name) - {69AE0223-2CBE-4B6F-B905-C77C7734E0CB} - C:\WINDOWS\system32\pmnlmkh.dll
backup-20070513-120812-957
O2 - BHO: (no name) - {272FD83A-CF4E-4D41-8341-41720ED290E2} - C:\WINDOWS\system32\ddcca.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-15 06:43:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-15 6:43:56
C:\ComboFix-quarantined-files.txt ... 2007-05-15 06:43

Thanks, yes there are some additional cleanups we need to do.

First you don't need to worry about ctfmon.exe. It is a valid file from Microsoft related to OfficeXP
See here:
http://support.microsoft.com/default.aspx/kb/282599/en-us

You disabled an item in startups that I need you to put back so we can fix it - not just disable it.
The related file was already deleted by Kaspersky.

Go to Start > Run and type in the box: msconfig
In the Startup Section, Put a checkmark next to this entry:
C:\WINDOWS\system32\WinFlyer32.dll

Now, Open HijackThis and do a *system scan only*
When it finishes, place a checkmark next to these entries, and when done press the *fix checked* button

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {B97000EE-E5FB-492D-93ED-D81B7DE74F32} - C:\WINDOWS\system32\vtstr.dll (file missing)

O2 - BHO: (no name) - {EA2676C3-712F-4377-8A0C-6853017D2505} - C:\WINDOWS\system32\vtsqn.dll (file missing)

O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run

O20 - Winlogon Notify: pmnlmkh - pmnlmkh.dll (file missing)

O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll (file missing)

O20 - Winlogon Notify: vtstr - C:\WINDOWS\

After pressing the *fix checked* button you can close HijackThis.

Delete these files:

C:\WINDOWS\system32\rtstv.bak1

C:\WINDOWS\system32\nqstv.ini2

C:\WINDOWS\system32\nqstv.bak1

C:\WINDOWS\system32\jjkkj.ini2

C:\WINDOWS\system32\jjkkj.bak1

C:\WINDOWS\system32\pqstv.ini2

Then run another scan with HijackThis and post a fresh log please.

NOTE: Depending on the settings you chose for Adwatch, when you do those fixes above using HijackThis or when you restart your system next time, you may get an alert from Ad-Watch about changes to the registry. Look at the items carefully because it will see the changes we made using HijackThis to *remove* registry entries so you want to *allow* those changes. It won't know if those changes were yours on purpose or malware, it's going to alert you on changes to protected areas of the registry so you need to be aware of that when adding new software or doing windows updates, etc.

It might be a good idea to go ahead and try that now in case you have any questions or problems.

OK, I ran HiJackThis and deleted the files suggested but the files below
C:\WINDOWS\system32\rtstv.bak1

C:\WINDOWS\system32\nqstv.ini2

C:\WINDOWS\system32\nqstv.bak1

C:\WINDOWS\system32\jjkkj.ini2

C:\WINDOWS\system32\jjkkj.bak1

C:\WINDOWS\system32\pqstv.ini2
are not on my computer anymore. I even did a search for each one and they are gone. Also, I turned on Winflyer in start up but when I rebooted my computer it said error files missing. Is this good or bad? What is Winflyer?

Here is the new HiJackThis Log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:26:50 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sk.sympatico.ca/portal/site/pc-saskatchewan
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5255 bytes
Thanks LS CalamityJane. You are very thorough and I appreciate it! I'm anxiously awaiting your next post.

Ok, that's good A prior cleaning step may have already deleted them.


That was normal, the file was missing because Kaspersky deleted the file early on, however, it could not find that associated startup key in the registry because you had disabled it. The step to have HijackThis *fix* that key after re-enabling it, should have eliminated it and you will not see that error any more.
It's malware associated with Vundo. It is a trojan downloader. I found your first topic
http://forum.kaspersky.com/index.php?showtopic=37648
posted in the Kaspersky forums on May 5 where KAV deleted this file (from your KAV scan log there):
deleted: Trojan program Trojan-Dropper.Win32.Agent.bhc File: C:\WINDOWS\system32\WinFlyer32.dll

And I could see it still in the registry in your logs posted here (ComboFix log showed this):
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winflyer32.dll
"rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run

Having fixed that now, your HijackThis log looks fine
................
However your Sun Java program is outdated:
C:\Program Files\Java\jre1.5.0_05\ <---this is an OLD verison of Sun Java

Your Sun Java is very out of date and a security vulnerability!

Old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to:

j2re1.4.2_05 or

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

(or similar, and there may be more than one. Remove them all)

Then go get the latest up to date version here:
http://www.java.com/en/download/manual.jsp

Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046

This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.
........................................
Some final cleanup and prevention recommendations follow.

You can go ahead and delete any special tools we used (ComboFix, VundoFix, SDFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................
Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.

Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.


Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.

OK, I updated my Sun Java but I did not know you needed to un-install the old version everytime you update. I've just been updating the version I had. This time I un-installed the old version and downloaded the new one.

I ran the clean manager and also did some maintenance...error checking and a defrag.

I had turned off my system restore and set my settings to show hidden files and folders when I started having trouble. My system restore is now back on.

I have downloaded the MBSA and intend to learn about it and use it.

There is a tremendous amount of excellent information you've given me and I hope others read and learn these things also.

Is there anything else I should do? I enjoy learning about computers and most of my learning has come the hard way...having to do it myself! You've given me a lot to read and learn and I appreciate all of it.

LS CalamityJane, you are an excellent teacher and you've helped me so very much.

Thank You!

Nanny

Good morning! Nanny

I'm really glad we could help and your willingness to learn about your PC security makes it a pleasure to pass along whatever helpful info we can.

I particularly LOVE the MBSA for security evaluation and, although Microsoft recommends this tool for commerical use it is extremely helpful to home users as well. It's very easy to interpret the results and helps you understand some important areas of overall Wndows security that home users may not be aware of