Please Help: Can't Shake The Vundo!!

[LouMan777]

ComboFix 08-01-17.3 - Louie 2008-01-17  0:02:42.2 - NTFSx86
Running from: C:\Documents and Settings\Louie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Louie\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2007-12-17 to 2008-01-17  )))))))))))))))))))))))))))))))
.

2008-01-16 19:15 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-16 15:21 . 2008-01-16 15:21   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-01-16 15:19 . 2004-07-13 18:36   <DIR>   d--------   C:\Documents and Settings\help\Application Data\Symantec
2008-01-16 15:19 . 2004-07-13 18:40   <DIR>   d--------   C:\Documents and Settings\help\Application Data\Sonic
2008-01-14 22:18 . 2008-01-14 22:18   <DIR>   d--------   C:\Program Files\Trend Micro
2008-01-14 21:55 . 2007-09-24 23:31   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-01-14 21:53 . 2008-01-14 21:53   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-01-14 19:26 . 2008-01-14 21:30   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-01-14 15:58 . 2008-01-14 15:58   <DIR>   d--------   C:\Documents and Settings\Louie\DoctorWeb
2008-01-14 06:30 . 2008-01-17 00:02   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-14 06:30 . 2008-01-14 06:30   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:30 . 2008-01-14 06:30   <DIR>   d--------   C:\Documents and Settings\Louie\Application Data\SUPERAntiSpyware.com
2008-01-14 06:30 . 2008-01-14 06:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 06:20 . 2008-01-14 06:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-01-14 03:21 . 2008-01-14 04:51   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-01-13 12:44 . 2008-01-13 12:44   5,360   --a------   C:\WINDOWS\system32\tmp.reg
2008-01-13 12:43 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 12:43 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 12:43 . 2007-12-20 23:11   81,920   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-01-13 12:43 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-01-13 12:43 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-01-13 12:43 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 06:52 . 2008-01-13 06:52   <DIR>   d--------   C:\VundoFix Backups
2008-01-13 03:12 . 2008-01-13 03:12   <DIR>   d--------   C:\Program Files\Common Files\Cisco Systems
2008-01-13 03:12 . 2006-11-17 03:06   1,495,552   --a------   C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-13 03:11 . 2006-11-30 08:50   168,776   --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 03:11 . 2006-11-30 08:50   72,264   --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 03:11 . 2006-11-30 08:50   64,360   --a------   C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-13 03:11 . 2006-11-30 08:50   52,136   --a------   C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-13 03:11 . 2006-11-30 08:50   34,152   --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 02:26 . 2008-01-13 07:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 16:02 . 2003-07-21 08:12   102,400   --a------   C:\WINDOWS\system32\drivers\ianswxp.sys
2008-01-12 16:00 . 2008-01-12 16:00   <DIR>   d--------   C:\Program Files\Analog Devices
2008-01-12 16:00 . 2001-09-11 18:20   1,285,632   --a------   C:\WINDOWS\system32\SMMedia.dll
2008-01-12 16:00 . 2003-01-08 12:23   49,152   --a------   C:\WINDOWS\system32\DSndUp.exe
2008-01-12 16:00 . 2002-04-17 16:05   45,056   --a------   C:\WINDOWS\system32\CleanUp.exe
2008-01-12 16:00 . 2001-09-11 16:20   30,208   --a------   C:\WINDOWS\system32\wdmioctl.dll
2008-01-12 15:57 . 2008-01-12 15:57   <DIR>   d--------   C:\Program Files\CONEXANT
2008-01-12 15:57 . 2004-01-21 13:57   1,041,152   --a------   C:\WINDOWS\system32\drivers\HSF_DP.sys
2008-01-12 15:57 . 2004-01-21 13:59   675,840   --a------   C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2008-01-12 15:57 . 2004-01-21 14:02   197,888   --a------   C:\WINDOWS\system32\drivers\HSFHWICH.sys
2008-01-12 15:57 . 2004-01-21 13:20   125,638   --a------   C:\WINDOWS\system32\drivers\IBM0559.cty
2008-01-12 15:57 . 2003-04-09 16:01   90,112   --a------   C:\WINDOWS\system32\mdmxsdk.dll
2008-01-12 15:57 . 2003-04-09 15:48   11,043   --a------   C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-01-12 15:43 . 2008-01-12 15:43   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2008-01-12 07:33 . 2008-01-13 12:55   118,784   --a------   C:\WINDOWS\MXOALDR.EXE
2008-01-12 07:11 . 2008-01-14 16:32   <DIR>   d--------   C:\Program Files\Dot1XCfg
2007-12-29 02:38 . 2007-12-29 02:38   <DIR>   d--------   C:\Documents and Settings\Louie\.onion
2007-12-27 20:36 . 2007-12-27 23:29   <DIR>   d--------   C:\Program Files\NinjaSurfing
2007-12-27 20:36 . 2007-12-27 23:29   125   --a------   C:\ioSpecial.ini
2007-12-27 15:22 . 2007-12-27 15:22   <DIR>   d--------   C:\Program Files\avijoin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 05:02   ---------   d-----w   C:\Program Files\Winamp
2008-01-17 05:02   ---------   d-----w   C:\Program Files\AIM95
2008-01-17 00:26   ---------   d-----w   C:\Program Files\Swarmcast
2008-01-17 00:25   ---------   d-----w   C:\Program Files\QuickTime
2008-01-17 00:25   ---------   d-----w   C:\Program Files\iTunes
2008-01-15 02:55   ---------   d-----w   C:\Program Files\Java
2008-01-14 08:07   ---------   d-----w   C:\Program Files\mIRC
2008-01-14 08:07   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\mIRC
2008-01-13 17:37   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\U3
2008-01-13 08:12   ---------   d-----w   C:\Program Files\McAfee
2008-01-13 05:37   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\uTorrent
2008-01-12 21:01   ---------   d-----w   C:\Program Files\Intel
2008-01-12 21:00   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-01-12 20:58   ---------   d-----w   C:\Program Files\NetWaiting
2008-01-12 20:58   ---------   d-----w   C:\Program Files\Digital Line Detect
2007-12-29 11:22   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\Vso
2007-12-09 18:55   14,336   ----a-w   C:\WINDOWS\system32\svchost.exe
2007-12-07 18:20   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\Skype
2007-11-27 01:59   ---------   d-----w   C:\Documents and Settings\Louie\Application Data\Winamp
2007-11-19 05:33   ---------   d-----w   C:\Documents and Settings\Delete\Application Data\AdobeUM
2007-11-14 07:26   450,560   ------w   C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26   721,920   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26   721,920   ------w   C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20   360,064   ------w   C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16   3,058,688   ------w   C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43   1,287,680   ------w   C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40   227,328   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40   227,328   ----a-w   C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36   8,454,656   ------w   C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 15:26   53,248   ----a-w   C:\WINDOWS\bdoscandel.exe
2007-05-23 04:29   47,360   ----a-w   C:\Documents and Settings\Louie\Application Data\pcouffin.sys
2004-07-13 23:41   59,751   ----a-w   C:\Program Files\setuplog.txt
2004-07-13 23:41   54,342   ----a-w   C:\Program Files\uninstal.log
.

[LouMan777]

(((((((((((((((((((((((((((((   snapshot@2008-01-16_19.29.03.07   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 00:16:15   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 05:02:36   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 00:16:16   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 05:02:37   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 00:16:16   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 05:02:37   233,472   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-17 00:16:16   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 05:02:37   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 00:16:16   14,958,592   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 05:02:38   14,958,592   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-17 00:16:17   167,936   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 05:02:39   167,936   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 20:21:40   122,940   ----a-w   C:\WINDOWS\system32\dla\DLACTRLW.EXE
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-14 03:16 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-14 03:15 512000]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:56 380416 C:\WINDOWS\system32\irprops.cpl]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2008-01-14 03:15 897024]
"TpShocks"="TpShocks.exe" [2003-12-17 13:12 102400 C:\WINDOWS\system32\TpShocks.exe]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2008-01-14 03:15 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 03:36 394752]
"TP4EX"="tp4ex.exe" [2002-09-04 03:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-14 03:15 335872]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2008-01-14 03:15 36864]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-14 03:15 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 00:50 180272]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2008-01-13 12:55 118784]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 03:36 106496]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe" [2008-01-14 01:05 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask                            .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-16 19:11 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 19:11 256576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-03-24 19:12:40]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-13 18:31:38]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-07-13 18:41:37]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-06-02 13:04:58]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij]
pmnnlij.dll

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-12-17 15:50]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-03-12 02:10]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-03-12 02:10]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 03:36]
R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 14:05]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-12-15 19:29]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Louie\LOCALS~1\Temp\gAGP440p.sys []
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-03-12 02:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e27fcc9-7f1b-11db-891a-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16bf73a0-1ec2-11dc-89af-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9530d7f4-0ff8-11dc-89a4-000e353678ce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2ccfd30-c1f0-11dc-9dc3-000d607598a8}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 14:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-12-03 00:32:26 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 00:04:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17  0:05:32
ComboFix-quarantined-files.txt  2008-01-17 05:05:16
ComboFix2.txt  2008-01-17 00:29:20
.
2008-01-14 11:16:37   --- E O F --- 

[evilfantasy]

Go here >> http://www.malwarebytes.org/regassassin.php <<

Download RegASSASSIN to the desktop and open the program.

Copy this line:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlij

Paste it in the Text box and click Delete.

----------

Please download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

----------

Next post
Dr. Web CureIt log

[LouMan777]

Process.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Louie\Desktop\SmitfraudFix;Tool.ShutDown.11;;
iTunesHelper.exe.vir;C:\QooBox\Quarantine\C\Program Files\iTunes;Trojan.MulDrop.10006;Deleted.;
jusched.exe.vir;C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin;Trojan.MulDrop.10006;Deleted.;
qttask                            .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                           .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                          .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                         .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                        .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                       .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                      .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                     .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
qttask                    .exe.vir;C:\QooBox\Quarantine\C\Program Files\QuickTime;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-558-PowerReg Scheduler V3                      .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-736-PowerReg Scheduler V3                       .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
backup-20080115-172114-921-PowerReg Scheduler V3                        .exe.vir;C:\QooBox\Quarantine\C\Program Files\Trend Micro\HijackThis\backups;Trojan.MulDrop.10006;Deleted.;
hggff.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.MulDrop.10006;Deleted.;
instsrv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Tool.SrvRunner;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0000006.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000007.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000008.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1;Trojan.MulDrop.10006;Deleted.;
A0000018.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000019.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000020.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2;Trojan.MulDrop.10006;Deleted.;
A0000024.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000026.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000027.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000028.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000029.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000030.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000031.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000032.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000033.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000034.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000035.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000036.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000037.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000038.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000039.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Trojan.MulDrop.10006;Deleted.;
A0000040.exe;C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP3;Tool.SrvRunner;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

[evilfantasy]

I think you are in the clear.


Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All and UNCHECK Cookies.
  
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main ATF Cleaner menu to close the program.


Post a new Hijackthis log

Let me know how everything is now.

[LouMan777]

I think we did it!  Startup was amazingly fast.  hggff.exe is no longer there after reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:54 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask                            .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Epson printer Registration.lnk = D:\Drivers\E_reg\EPSONREG.EXE
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 8280 bytes

[evilfantasy]

The log looks fine.


Final steps.

Time to do some cleanup and secure the work you have done.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

----------

Here are some great tools to help you keep from getting infected again.

Spybot Search & Destroy - A safe and effective spyware scanner.
* Official Spybot Tutorial
* Spybot FAQ

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* SpywareBlaster Tutorial

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?

UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.

[evilfantasy]

Almost forgot. Check out this tutorial to install the Recovery Console

http://www.bleepingcomputer.com/tutorials/tutorial117.html