After years of relatively hassle-free windows xp use, I recently found myself infected with Smitfraud, Virtumonde/Vundo, and PurityScan. I've followed advice given in multiple other threads, but I'm not totally sure I've eradicated all traces... any assistance is much appreciated. Thanks in advance!

-----------------------------------

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:34:09, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Homer\Homer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\metapad\metapad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1189557290312
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189461598453
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: CMADRVBLEGO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CMADRVBLEGO.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe

--
End of file - 4334 bytes

and the Kaspersky online log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 6:33:29 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 593848
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41316
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:54:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\CeX\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Temp\~DF402E.tmp Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Temp\~DF4039.tmp Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\CeX\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CeX\ntuser.dat Object is locked skipped
C:\Documents and Settings\CeX\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\apps.installed\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Downloads\apps.installed\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Downloads\apps.installed\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Downloads\apps.installed\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Downloads\apps.installed\mirc631.exe NSIS: infected - 4 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM~1\wowexec.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\CURITY~1\s?chost.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP124\A0010693.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP124\A0010706.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP124\A0010706.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP124\A0010706.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP128\change.log Object is locked skipped
C:\Temp\SECURITY APPS MAR08\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SECURITY APPS MAR08\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SECURITY APPS MAR08\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Temp\SECURITY APPS MAR08\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F91378B8-592C-4577-B6A9-38F791C9CD5C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_244.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_560.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Sorry for the wait, there is no shortage of folks needing help. I need to do a little reseach first.

1) C:\Homer\Homer.exe <<< assure me this is safe and this item:
http://www.funkytoad.com/content/view/14/32/

2) Tell me what this is and assure me it is safe?
O23 - Service: CMADRVBLEGO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CMADRVBLEGO.exe

If you do not know use one or more of these free online scans and share the information with me:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

3) KASPERSKY ONLINE SCANNER REPORT Monday, March 03, 2008 6:33:29 AM

(Kaspersky indicates these file may be infected, scan the ones in red also. Delete them if they are bad)
C:\Downloads\apps.installed\mirc631.exe/stream/data0001/stream/data0014 ------> Client-IRC.Win32.mIRC.631 skipped
C:\Program Files\mIRC\mirc.exe ------> Client-IRC.Win32.mIRC.631 skipped

C:\QooBox\Quarantine\ <<< delete the Qoobox from combofix

C:\Temp\SECURITY APPS MAR08\SmitfraudFix\ <<< delete Smitfraudfix and the contents of the folder

Empty the Recycle Bin on the Desktop

Restart the computer

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky Online Scan, no need to post a clean scan, just let me know about the items I asked about.

Thanks

Sorry for the wait, there is no shortage of folks needing help.

No worries, I understand how busy it is here!

Following your points:

1) Yes that's the same Homer Application

2) Not totally sure what CMADRVBLEGO.EXE is/was, I think it was related to a sysinternals application (Autoruns maybe). However the folder C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CMADRVBLEGO.exe is empty, and I have 'show hidden files' enabled. Winpatrol shows it in services as 'disabled' and HJT doesn't show it at all now?

3) Mirc now uninstalled and deleted, along with all other listed files, as per your directions. System restore un/re-enabled as directed. Kaspersky now shows no infections.

Anything else I need to do? Thanks for this btw :)

Glad I could help, it rare to find one without a load of work. It looks like, from combofix and Smitfraudfix, that you recently faught infections. If all you were concered with were the items showing in Kaspersky, you are good to go...take this information with you.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Cheers...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.