It seems my nephew went to a site that installed junk on my pc and I am unable to resolve the resulting problems.

I have used Spybot S&D, Panda online, XoftSpySE and Vundo.exe.

They SEEM to remove all of the viruses but they keep reappearing.. and I can't get rid of that pesky rqrssrs.dll file. I've used Unlocker to delete it but my pc reboots at every attempt.

From reading through this forum, I see logs are requested.

I hope this is what is needed. Thanks so much in advance!!

I have Combofix log if needed [too large to fit in this msg]

Logfile of HijackThis v1.99.1
Scan saved at 3:33:41 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CD27258-B923-479E-AE31-6F8D79A017BC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A32D244A-CCCC-4855-BE97-713230F7A5D0} - (no file)
O2 - BHO: (no name) - {D6C2256F-6B4D-43C8-A2B0-94717CAFC62F} - (no file)
O2 - BHO: (no name) - {D7AD7FBF-44B5-4077-9ED3-4104FD145045} - C:\WINDOWS\system32\ssqro.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CaptureWiz.lnk = C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173537208437
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmkjjBAK - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

"Owner" - 2007-05-20 15:25:01 Service Pack 2
ComboFix 07-05.21.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\rqrssrs.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))


2007-05-20 12:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ipswitch
2007-05-20 06:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-19 19:21 <DIR> d-------- C:\VundoFix Backups
2007-05-19 13:37 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-18 22:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-09 06:18 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-05 19:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-05 19:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-05-05 19:21 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-05-05 19:21 104,960 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-05-05 19:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Logitech
2007-05-05 19:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Musicmatch
2007-05-05 19:19 78,864 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-05-05 19:19 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-05-05 19:19 62,992 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2007-05-05 19:19 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-05-05 19:19 20,496 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2007-05-05 19:19 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2007-05-05 19:19 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-05-05 19:19 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-05-05 19:19 101,136 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-05-05 19:19 <DIR> d-------- C:\Program Files\Logitech
2007-05-05 19:19 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-05-03 19:28 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-05-03 19:27 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-05-03 19:23 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-05-03 17:47 <DIR> d-------- C:\bin
2007-05-03 17:46 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-05-03 17:44 <DIR> d-------- C:\Program Files\Common Files\HP
2007-05-03 17:43 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-05-03 17:40 <DIR> d-------- C:\TEMP
2007-05-03 17:37 117,092 --a------ C:\WINDOWS\hpoins11.dat
2007-04-29 07:30 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-04-29 07:29 <DIR> d-------- C:\Program Files\MSBuild
2007-04-29 07:26 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-29 07:25 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-04-29 07:23 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-04-29 07:23 <DIR> d-------- C:\626180773ed34288cc845f
2007-04-29 07:17 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-04-29 07:17 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-04-29 07:17 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-04-22 21:36 26,000 --a------ C:\WINDOWS\system32\E3TL.DLL
2007-04-22 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zenturi


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 04:06:53 -------- d-----w C:\Program Files\WS_FTP Pro
2007-05-20 04:00:16 -------- d-----w C:\Program Files\Digital Media Reader
2007-05-18 02:30:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-05-16 03:18:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-16 03:17:04 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-06 00:20:31 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-03 22:57:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HP
2007-05-02 21:39:32 62,416 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-04-11 02:17:46 -------- d-----w C:\Program Files\SupportSoft
2007-04-07 02:25:16 -------- d-----w C:\Program Files\Symantec
2007-04-01 21:46:11 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-04-01 21:41:51 -------- d-----w C:\Program Files\Comodo
2007-04-01 03:13:34 115,824 ------w C:\WINDOWS\UnVet32.exe
2007-04-01 03:13:34 111,728 ------w C:\WINDOWS\AVShlExt.dll
2007-04-01 03:12:26 -------- d-----w C:\Program Files\Common Files\Scanner
2007-03-31 23:49:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-31 23:27:06 6 ------w C:\WINDOWS\system32\mkghj.dll
2007-03-31 14:28:06 -------- d-----w C:\Program Files\Pro Imaging Powertoys
2007-03-31 14:28:06 -------- d-----w C:\Program Files\Common Files\Nikon
2007-03-26 21:28:53 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Intuit
2007-03-26 21:12:42 -------- d-----w C:\Program Files\ItsDeductible2006
2007-03-26 21:09:49 -------- d-----w C:\Program Files\Common Files\Intuit
2007-03-26 21:08:52 -------- d-----w C:\Program Files\TurboTax
2007-03-26 21:08:18 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-03-25 06:51:15 -------- d-----w C:\Program Files\BigFix
2007-03-23 11:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 11:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 01:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 01:31:15 -------- d-----w C:\Program Files\Common Files\PC Tools
2007-03-19 02:56:16 -------- d-----w C:\Program Files\Driver Validation
2007-03-19 00:20:52 -------- d-----w C:\Program Files\CaptureWiz
2007-03-18 12:49:54 -------- d-----w C:\Program Files\Common Files\Real
2007-03-18 12:38:57 -------- d-----w C:\Program Files\FoxyTunes
2007-03-18 05:55:49 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\FoxyTunes
2007-03-18 02:38:49 33,824 ------w C:\WINDOWS\system32\drivers\oreans32.sys
2007-03-18 02:38:45 -------- d-----w C:\Program Files\Common Files\AVSMedia
2007-03-18 02:38:39 -------- d-----w C:\Program Files\AVSMedia
2007-03-18 02:23:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-03-18 01:21:42 -------- d-----w C:\Program Files\HP
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 02:05:34 -------- d-----w C:\Program Files\Photo Story 3 for Windows
2007-03-14 22:33:19 -------- d-----w C:\Program Files\Hardwood Spades
2007-03-14 22:32:05 -------- d-----w C:\Program Files\SilverCreekCommonFiles
2007-03-14 01:47:54 167,936 ------w C:\WINDOWS\system32\fpres532.dll
2007-03-14 01:45:58 303,104 ------w C:\WINDOWS\system32\fpmon5.dll
2007-03-12 00:06:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PixelMetrics
2007-03-11 23:47:48 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Help
2007-03-10 14:45:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\theimagingfactory
2007-03-10 04:48:14 -------- d-----w C:\Program Files\GretagMacbeth
2007-03-10 04:36:14 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-10 02:40:00 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ipswitch
2007-03-10 02:27:17 -------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-03-10 02:14:26 -------- d-----w C:\Program Files\DFX
2007-03-10 00:33:41 -------- d-----w C:\Program Files\MUSICMATCH
2007-03-10 00:30:16 -------- d-----w C:\Program Files\Webroot
2007-03-10 00:30:16 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Webroot
2007-03-10 00:29:17 -------- d-----w C:\Program Files\WeBuilder 2006
2007-03-10 00:29:16 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Blumentals
2007-03-10 00:05:40 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\ACD Systems
2007-03-09 23:56:38 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-03-09 23:15:53 -------- d-----w C:\Program Files\XemiComputers
2007-03-09 23:08:54 -------- d-----w C:\Program Files\ACD Systems
2007-03-09 23:08:51 -------- d-----w C:\Program Files\Common Files\ACD Systems
2007-03-09 22:51:51 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-03-09 22:23:13 -------- d-----w C:\Program Files\Messenger
2007-03-09 22:14:45 -------- d-----w C:\Program Files\MSXML 4.0
2007-03-09 20:40:19 -------- d-----w C:\Program Files\Common Files\Vbox
2007-03-09 20:31:57 -------- d-----w C:\Program Files\Web Gallery Wizard PRO
2007-03-09 20:20:44 -------- d-----w C:\Program Files\CyberLink
2007-03-09 20:16:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-03-09 19:46:32 -------- d-----w C:\Program Files\Pure Networks
2007-03-09 19:45:12 -------- d-----w C:\Program Files\Napster
2007-03-09 19:43:30 -------- d-----w C:\Program Files\Common Files\AOL
2007-03-09 18:54:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-03-09 18:52:10 -------- d-----w C:\Program Files\MSN Encarta Plus
2007-03-09 18:51:55 -------- d-----w C:\Program Files\Intel Audio Studio
2007-03-09 18:50:59 -------- d-----w C:\Program Files\SigmaTel
2007-03-09 18:50:08 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-09 18:49:51 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-09 18:49:40 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\You've Got Pictures Screensaver
2007-03-09 18:49:38 -------- d-----w C:\Program Files\Common Files\Nullsoft
2007-03-09 18:49:25 -------- d-----w C:\Program Files\QuickTime
2007-03-09 18:48:08 335 ------w C:\WINDOWS\nsreg.dat
2007-03-09 18:47:31 -------- d-----w C:\Program Files\SIFXINST
2007-03-09 18:45:20 -------- d-----w C:\Program Files\Intel
2007-03-09 18:30:37 -------- d-----w C:\Program Files\Google
2007-03-09 18:30:01 -------- d-----w C:\Program Files\Microsoft Picture It! 10
2007-03-09 18:28:00 -------- d-----w C:\Program Files\Microsoft Works
2007-03-09 18:25:04 -------- d-----w C:\Program Files\Ahead
2007-03-09 18:24:04 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-09 18:23:58 -------- d-----w C:\Program Files\Common Files\New Boundary
2007-03-09 18:14:14 60 ------w C:\WINDOWS\system32\SYSDRV.DAT
2007-03-09 18:13:45 -------- d-----w C:\Program Files\Windows NT
2007-03-09 18:13:43 -------- d-----w C:\Program Files\Movie Maker
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 18:34:28 676,224 ------w C:\WINDOWS\system32\OGACheckControl.DLL
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{D7AD7FBF-44B5-4077-9ED3-4104FD145045}=C:\WINDOWS\system32\ssqro.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 03:55]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 17:51]
"nwiz"="nwiz.exe" [2005-12-14 17:51 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-14 17:51]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-03-13 20:47]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-20 21:29]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-04-01 16:41]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"XoftSpySE"="C:\Program Files\XoftSpySE\xoftspy.exe" [2007-03-30 13:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-02-20 16:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjjBAK]
wlnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ProfileReminder.lnk]
backup=C:\WINDOWS\pss\ProfileReminder.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProgramChecker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d42a102-ce6a-11db-af3a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070520-143256-238
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

backup-20070520-143256-733
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070520-143256-159
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070520-143256-442
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

backup-20070520-143256-525
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\nlpiakfs.dll",realset
Contents of the 'Scheduled Tasks' folder
2007-05-20 20:28:45 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-20 03:02:52 C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 15:28:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-20 15:31:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-20 15:31


--- E O F ---

Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

What will be handy would be if you read and follow the above directions and post only what I reqest.

This is indeed a Vundo infection, some information for you:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/

Please see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_11\ <<< out of date, download the newest Java version and uninstall all old versions in Add Remove programs.

Since I have not seen the Vundofix log I am looking at the HJT log and it appears you were successful? I will finish the cleanup and ask you to report on any symptoms.

1) You are running HJT from a TEMP folder, there will be no backups for safety if needed. Move HJT here: C:\HJT\HijackThis.exe if you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {4CD27258-B923-479E-AE31-6F8D79A017BC} - (no file)
O2 - BHO: (no name) - {A32D244A-CCCC-4855-BE97-713230F7A5D0} - (no file)
O2 - BHO: (no name) - {D6C2256F-6B4D-43C8-A2B0-94717CAFC62F} - (no file)
O2 - BHO: (no name) - {D7AD7FBF-44B5-4077-9ED3-4104FD145045} - C:\WINDOWS\system32\ssqro.dll (file missing)
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)
O20 - Winlogon Notify: pmkjjBAK - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Use the instructions in this link to run AVG Anti-Spyware, delete or quarantine anything it finds and post the scan report.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post that scan report and a new HJT log. Let me know how the computer is running.

Thanks...Phil

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.