Computer Infected with Vista Antivirus Malware

[mccudden2]

My boyfriend went online and despite having McAfee virus online support running downloaded a malware, the malware sends constant popups stating my computer if infected and  then starts a page vista antivirus, my browser is unable to access the internet without 10 or more tries and my home page is hijacked when I do get on.  I have XP and need instruction to remove this problem, I am so frustrated I could cry, I am on my work computer to try to fis this problem...any help would be greatly appreciated

[evilfantasy]

Moved to Computer virus and spyware forum.

Welcome to Computer Hope.

Start here http://www.computerhope.com/forum/index.php/topic,46313.0.html

Post the logs here when complete.

[merlin]

Lost...in the what has been posted?

[evilfantasy]

Read everything in this post - >>>CLICK HERE<<< - Everything is explained. When you are done post the 3 logs.

[mccudden2]

OK guys, I am performing step by step as directed, one small problem......
Don't kill me, but ...before I read the reply I searched and found a similar help request and followed the combofix instructions, did not turn off my antivirus software and ended it myself after 40 minutes...
I will post the sas log as it is still going after 1 hour and then I promise to do exactly what the instructions say.  Just wanted to let you know what I did in case it changes anything I am currently doing.  My time is changed and I will not even touch that until you tell me (yell me) what to do next.
Sorry for acting too quickly......Cathy

[evilfantasy]

Following advice in other threads can be disastrous to your PC. Symptoms can be similar but thats usually all. The clock settings are because ComboFix didn't finish it's cycle of scans. We will fix that before we finish.

Go to Start > Run and then type c:\combofix.txt and click OK.

If a log comes up please post it here.

Thanks.

[mccudden2]

Here is the sas log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/30/2008 at 08:15 PM

Application Version : 4.15.1000

Core Rules Database Version : 3521
Trace Rules Database Version: 1511

Scan type       : Complete Scan
Total Scan Time : 01:24:06

Memory items scanned      : 440
Memory threats detected   : 0
Registry items scanned    : 5889
Registry threats detected : 16
File items scanned        : 69922
File threats detected     : 16

Parasite.WareOut
   HKLM\Software\Classes\CLSID\{0DE3C538-3F1E-7C25-A970-AB14E4A4D9C0}
   HKCR\CLSID\{0DE3C538-3F1E-7C25-A970-AB14E4A4D9C0}
   HKCR\CLSID\{0DE3C538-3F1E-7C25-A970-AB14E4A4D9C0}\InprocServer32
   SBIN.DLL

Trojan.VirusAlert/Fake
   HKLM\Software\Classes\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}
   HKCR\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}
   HKCR\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}\InprocServer32
   HKCR\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}\InprocServer32#ThreadingModel
   C:\WINDOWS\DOWNLOADED PROGRAM FILES\SETUP.DLL
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}

Unclassified.Unknown Origin
   HKCR\CLSID\{7545D8C8-F53C-4E2F-8FA0-D248EF4A6E61}

Rogue.AntiSpywareExpert
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#DLLName
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#StartShell
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#Impersonate
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32#Asynchronous

Trojan.LanMan/Rootkit
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#lanmanwrk.exe clean [ C:\WINDOWS\System32\lanmanwrk.exe clean ]

Trojan.KernelDrv
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#KernelDrv.exe clean [ C:\WINDOWS\System32\KernelDrv.exe clean ]

Trojan.Dropper/Gen-Zero
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\0.EXE.VIR
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1021\A0174337.EXE

Trojan.Unknown Origin
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\SEX1.ICO.VIR
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\SEX2.ICO.VIR
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1021\A0174339.ICO
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1021\A0174340.ICO

Rogue.Vista AntiVirus 2008
   C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\VAV\VAV.EXE.VIR
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1021\A0174336.EXE

Rootkit.RunTime3/WinCtrl32
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1020\A0173980.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1020\A0173997.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1020\A0174299.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP1020\A0174319.SYS

Malware.DriveCleaner
   C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.4\UDC6_0001_D19M1908NETINSTALLER.EXE
   C:\WINDOWS\DOWNLOADED PROGRAM FILES\UDC6_0001_D19M1908NETINSTALLER.EXE

[evilfantasy]

Still need the ComboFix log when you get a chance.

Go to Start > Run and then type c:\combofix.txt and click OK.

[mccudden2]

Unable to find combofix.txt in start run

[evilfantasy]

OK, double click My Computer on the Desktop and then open C:\

Look for anything in there that says ComboFix or QOOBOX, if thet are text files open them and post the contents here please.

[mccudden2]

Here is the MWB report and I am looking for combofix as you instructed

Malwarebytes' Anti-Malware 1.23
Database version: 1011
Windows 5.1.2600 Service Pack 2

20:59:13 2008-07-30
mbam-log-7-30-2008 (20-59-13).txt

Scan type: Quick Scan
Objects scanned: 43161
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{777dc719-62ea-40d4-a41a-2f216efe6754} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{777dc719-62ea-40d4-a41a-2f216efe6754} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tysqez.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KernelDrv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Dll.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ksvcl.dll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcopt.dll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lanmandrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

[mccudden2]

Found this under QooBox,

file zipped: C:\WINDOWS\system32\drivers\Windi04.sys -> catchme.zip -> Windi04.sys ( 31616 bytes )
file "C:\WINDOWS\system32\drivers\Windi04.sys" replaced successfully

[evilfantasy]

OK go ahead and run the HijackThis instructions and post that log.

We will fix the clock and get rid of ComboFix in a little bit.

[mccudden2]

HIjack THis:
Scan saved at 21:53, on 2008-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\1102902052\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1102902052\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\AOL\1102902052\EE\aolsoftware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\Sniper.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C7BA181A-E13D-4E4F-9EDB-24EBE0B34FFD} - C:\WINDOWS\system32\rqRLffca.dll (file missing)
O2 - BHO: (no name) - {FBF85A20-FF88-4C46-90FB-B023E5C4ECA0} - C:\WINDOWS\system32\mlJBSJDS.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102902052\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJBSJDS - mlJBSJDS.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SDPAUMS server service (SDPASVC) -  Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11266 bytes

[evilfantasy]

That got most of it but there are still some nasty entries to take care of.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O1 - Hosts: localhost 127.0.0.1
• O2 - BHO: (no name) - {C7BA181A-E13D-4E4F-9EDB-24EBE0B34FFD} - C:\WINDOWS\system32\rqRLffca.dll (file missing)
• O2 - BHO: (no name) - {FBF85A20-FF88-4C46-90FB-B023E5C4ECA0} - C:\WINDOWS\system32\mlJBSJDS.dll (file missing)
• O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
• O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
• O20 - Winlogon Notify: mlJBSJDS - mlJBSJDS.dll (file missing)
• O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
• O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
sc stop Service: Symantec Core LC
sc delete Service: Symantec Core LC
sc stop Service: Viewpoint Manager Service
sc delete Service: Viewpoint Manager Service
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.

----------

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\Program Files\VAV\vav.exe

Folders to delete:
C:\Program Files\VAV

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

.
----------

After posting the Avenger log.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

This should reset the clock settings. Let me know if it didn't.

----------

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
Vista users Right click DSS and Run as Administrator.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open.
• main.txt <- this one will be maximized
  
• extra.txt <- this one will be minimized
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply.

.
----------

Next post add both DSS logs and let me know how things are now.

It might take two posts to get both of the DSS logs in.