PDA

View Full Version : Vundo or Virtumonde


Tntjacobs
2008-02-12, 08:36
I started having pop ups and my avira antivirus came up with files infected by vundo.gen and vundo.dwk. I have tried to fix the problem with a smitfraud_c remover and avira removal tool. Nothing is working. I would appreciate any help you may have.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:59 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1200297728\ee\AOLSoftware.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {763BA8E0-72C7-4213-84F2-140D1B57D17F} - C:\WINDOWS\system32\awvtr.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: {df14a828-8ac5-1139-b6d4-2ed9c003c6fa} - {af6c300c-9de2-4d6b-9311-5ca8828a41fd} - C:\WINDOWS\system32\xslxqhyx.dll
O2 - BHO: (no name) - {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} - C:\WINDOWS\system32\efccaxw.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200297728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200296457421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200296884734
O20 - Winlogon Notify: efccaxw - C:\WINDOWS\SYSTEM32\efccaxw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6159 bytes

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 11, 2008 10:59:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 558175
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 48516
Number of viruses found: 2
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:47:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\aolusers.fus Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\TamLke\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\idb\TamLke\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\CACHE\taml01 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\tamlke Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\tamlke.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.1\organize\tamlke.aby Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TnT\Application Data\AOL\C_AOL 9.1\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\TnT\Application Data\AOL\C_AOL 9.1\IDB\art.idx Object is locked skipped
C:\Documents and Settings\TnT\Application Data\AOL\C_AOL 9.1\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\TnT\Application Data\AOL\C_AOL 9.1\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\TnT\Application Data\AOL\C_AOL 9.1\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\cert8.db Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\history.dat Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\key3.db Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\linkpad.sqlite Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\parent.lock Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\search.sqlite Object is locked skipped
C:\Documents and Settings\TnT\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\TnT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\633285D9d01 ZIP: infected - 1 skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\TnT\Local Settings\Temporary Internet Files\Content.IE5\DAWZOZHS\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\TnT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TnT\ntuser.dat Object is locked skipped
C:\Documents and Settings\TnT\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{155F9B7B-BB1D-4A6F-ADF5-B2959D0ACBDE}\RP42\A0007123.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{155F9B7B-BB1D-4A6F-ADF5-B2959D0ACBDE}\RP45\A0007287.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{155F9B7B-BB1D-4A6F-ADF5-B2959D0ACBDE}\RP47\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cpqlrsbw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\efccaxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xrhidtrd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xslxqhyx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\yrhgynbg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{155F9B7B-BB1D-4A6F-ADF5-B2959D0ACBDE}\RP47\change.log Object is locked skipped
D:\Norton Removal Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Norton Removal Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
D:\Norton Removal Tools\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

Scan process completed.
pskelley
2008-02-12, 15:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, please keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Remove Smitfraudfix from your computer, we should not need that tool and it does not update.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log

Thanks
Tntjacobs
2008-02-13, 04:56
Man I am sorry I ran combofix after looking at another post it removed some files. I ran Vundofix and it did not find anything I will post Hijack, Vundofix, and combofix logs.

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:47 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\1200297728\ee\AOLSoftware.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {763BA8E0-72C7-4213-84F2-140D1B57D17F} - C:\WINDOWS\system32\awvtr.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200297728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200296457421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200296884734
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5423 bytes

VundoFix Log:

VundoFix V6.7.8

Checking Java version...

Sun Java not detected
Scan started at 9:21:30 PM 2/12/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

ComboFix Log:

ComboFix 08-02.05.3 - TnT 2008-02-12 9:02:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT -6:00]
Running from: C:\Documents and Settings\TnT\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efccaxw.dll
C:\WINDOWS\system32\cpqlrsbw.dll
C:\WINDOWS\system32\efccaxw.dll
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\lqrcgwdx.dll
C:\WINDOWS\system32\opqss.ini
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\WINDOWS\system32\xrhidtrd.dll
C:\WINDOWS\system32\xslxqhyx.dll
C:\WINDOWS\system32\yrhgynbg.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 23:43 . 2008-02-12 01:19 202 --a------ C:\WINDOWS\wininit.ini
2008-02-11 20:54 . 2008-02-11 20:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-11 20:54 . 2008-02-11 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-11 20:44 . 2008-02-11 20:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-11 20:44 . 2008-02-11 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 20:43 . 2008-02-11 20:45 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 20:43 . 2008-02-11 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-10 21:02 . 2008-02-10 21:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 20:58 . 2008-02-10 21:21 2,376 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-10 20:51 . 2008-02-10 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 19:15 . 2008-02-10 19:15 1,024 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-02-10 16:24 . 2008-02-10 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-10 16:23 . 2008-02-10 16:23 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-10 16:23 . 2008-02-10 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-10 00:02 . 2008-02-10 00:02 0 --a------ C:\WINDOWS\SystemTester.INI
2008-02-09 23:44 . 2008-02-09 23:44 <DIR> d-------- C:\VundoFix Backups
2008-02-04 17:37 . 2008-02-10 16:12 606 --a------ C:\WINDOWS\eReg.dat
2008-02-04 17:33 . 2008-02-10 16:09 <DIR> d-------- C:\Program Files\EA Sports
2008-02-04 17:32 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-23 22:20 . 2008-01-27 11:47 <DIR> d-------- C:\Program Files\Delmar
2008-01-23 22:20 . 2008-01-23 22:20 <DIR> d-------- C:\Documents and Settings\TnT\WINDOWS
2008-01-23 22:20 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2008-01-23 19:06 . 2008-01-23 19:06 <DIR> d-------- C:\Program Files\Real
2008-01-23 19:06 . 2008-01-23 19:06 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-23 19:06 . 2008-01-23 19:06 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-20 14:26 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-19 13:49 . 2008-01-19 13:49 <DIR> d-------- C:\Program Files\Guild Wars
2008-01-19 13:13 . 2008-01-19 13:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-18 16:15 . 2008-01-18 16:15 <DIR> d-------- C:\Documents and Settings\TnT\Application Data\Apple Computer
2008-01-18 16:08 . 2008-01-18 16:08 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-18 16:08 . 2008-01-18 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 19:07 . 2008-01-16 19:07 <DIR> d-------- C:\Documents and Settings\TnT\Application Data\RecoveryFix for Windows
2008-01-16 14:05 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-16 14:05 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-16 14:05 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-16 14:05 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-15 17:20 . 2003-08-21 10:37 10,435,072 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-01-15 17:20 . 2002-11-21 15:07 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-01-15 17:20 . 2002-08-27 16:23 720,896 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2008-01-15 17:20 . 2002-08-27 16:23 720,896 --a------ C:\WINDOWS\system32\Audio3D.dll
2008-01-15 17:20 . 2002-08-27 16:23 720,896 --a------ C:\WINDOWS\system32\a3d.dll
2008-01-15 17:20 . 2003-08-21 16:31 462,940 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-01-15 17:20 . 2003-08-14 23:16 404,736 --a------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2008-01-15 17:20 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-01-15 17:20 . 2003-08-15 15:34 57,344 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-01-15 16:27 . 2008-01-15 16:27 <DIR> d-------- C:\Documents and Settings\TnT\Application Data\Talkback
2008-01-14 19:59 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-14 19:59 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-14 19:59 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-14 19:59 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-14 19:59 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-14 19:59 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-14 19:59 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-14 19:59 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-14 19:59 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-14 19:58 . 2008-01-14 19:58 759 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-14 17:49 . 2008-01-14 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-14 17:48 . 2008-01-14 17:48 <DIR> d-------- C:\WINDOWS\aolshare
2008-01-14 17:48 . 2008-01-14 20:11 <DIR> d-------- C:\Program Files\AOL 9.1
2008-01-14 02:32 . 2008-01-17 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-01-14 02:24 . 2008-01-14 02:24 <DIR> dr-h----- C:\Documents and Settings\TnT\Application Data\SecuROM
2008-01-14 02:24 . 2008-01-14 02:24 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-14 02:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-14 02:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-14 02:04 . 2008-01-14 02:04 <DIR> d-------- C:\Program Files\Aspyr
2008-01-14 02:03 . 2008-01-14 02:03 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-01-14 02:03 . 2008-01-14 17:51 <DIR> d-------- C:\Documents and Settings\TnT\Application Data\AOL
2008-01-14 02:03 . 2008-01-14 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-14 02:03 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-14 02:03 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-14 02:02 . 2008-01-14 02:03 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-14 02:02 . 2008-01-14 17:48 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-01-14 02:02 . 2008-01-14 17:50 <DIR> d-------- C:\Program Files\Common Files\aol
2008-01-14 02:02 . 2008-01-14 02:14 <DIR> d-------- C:\Program Files\AOL 9.0
2008-01-14 02:02 . 2008-01-14 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-14 02:02 . 2003-01-10 15:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 01:47 --------- d-----w C:\Program Files\Microsoft Works
2008-01-14 23:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-14 07:49 --------- d-----w C:\Documents and Settings\TnT\Application Data\Netscape
2008-01-14 07:46 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-14 07:46 --------- d-----w C:\Program Files\Common Files\L&H
2008-01-14 07:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 07:44 --------- d-----w C:\Program Files\ESTsoft
2008-01-14 07:44 --------- d-----w C:\Documents and Settings\TnT\Application Data\ESTsoft
2008-01-14 07:39 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-14 07:39 --------- d-----w C:\Program Files\Ahead
2008-01-14 07:37 --------- d-----w C:\Program Files\Netscape
2008-01-14 07:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-14 07:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-11 06:03 9,216 ----a-w C:\WINDOWS\system32\drivers\VIDEX32.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{763BA8E0-72C7-4213-84F2-140D1B57D17F}]
C:\WINDOWS\system32\awvtr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2007-10-27 11:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HostManager"="C:\Program Files\Common Files\AOL\1200297728\ee\AOLSoftware.exe" [2007-05-25 11:16 42032]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-14 17:33 249896]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 15:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-23 19:06 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-24 20:33 5898240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

R0 VIDEX32;VIDEX32;C:\WINDOWS\system32\drivers\VIDEX32.sys [2008-01-11 00:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AUTOMENU.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96daa05a-c78c-11dc-b900-00038a000015}]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 02:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 02:05:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-02-12 2:07:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 08:06:47
.
2008-01-17 07:11:43 --- E O F ---
pskelley
2008-02-13, 14:31
Thanks for returning your information, you may want to review this information, especially the disclaimer from sUBs in the introduction.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {763BA8E0-72C7-4213-84F2-140D1B57D17F} - C:\WINDOWS\system32\awvtr.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and let me know how the comnputer is running.

Thanks

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
How to install and use the Windows XP Recovery Console
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix. If you do not wish to install RC, let me know so I can proceed with the cleanup.
Tntjacobs
2008-02-13, 19:09
Ok, ran hijack and removed the two entries and ran atfcleaner. Downloaded the files to install the recovery console but did not yet. (Did not know if i should wait to run combofix again or not). Let me know what I should do.

Thanks

Tyson
pskelley
2008-02-13, 19:13
How to install and use the Windows XP Recovery Console
Just follow those directions to install it, post the .txt file that is created.

Thanks
Tntjacobs
2008-02-13, 19:35
Installed recovery console, so far everything seems to be running well. Haven't had any popus or notifications from Avira since combofix was ran the first time.

Log from combofix for installing recovery console
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-02-13, 23:04
Thanks for returning your information, the Recovery Console installed ok:bigthumb:

Remove from your computer combofix, C:\qoobox\quarantine\ folder, vundofix and the C:\Vundofix Backups\ folder

D:\Norton Removal Tools\SmitfraudFix.zip <<< delete that file
D:\Norton Removal Tools\SmitfraudFix\SmitfraudFix\ <<< delete that folder and contents

C:\Documents and Settings\TnT\Local Settings\Application Data\Netscape\Navigator\Profiles\kd9qohol.default\Cache\ <<< delete the contents of that folder
C:\Documents and Settings\TnT\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder

Empty the Recycle Bin on your Desktop and restart the computer.

Follow these instructions to clean the infected System Restore file:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky scan, I do not need to see a clean scan.

Thanks
Tntjacobs
2008-02-14, 05:08
Could not find Temporary Internet Files folder but Kaspersky scan was clean.

Is that strange that this file is not there? I do not use IE though. Did delete contents of C:\documents and settings\tnt\local settings\temp.

I think it is ok. Thank you for all your help I appreciate your patience.

Tyson
pskelley
2008-02-14, 12:25
Thanks for the feedback, that TIF folder might be hidden by Microsoft:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

If any infected files were in the TIF folder, Kaspersky would have show them, safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.