Not sure if vundo was fully removed

[srpad]

I dont think we have found the cause here yet .

Please unzip and run the attached file .

I need you to do scan and save report for drivers and files .

The log could be quite long so zip and attach them please .

Hello. I apologize but when I try to extract Rootrepeal.zip, I get an error saying the zip file is corrupt. I tried downloading it again just in case something went wrong the first time and got the same result.

[AdvancedSetup]

That file extracted fine for me. Try deleting all cache, temp, and cookies and try again.

Here is another link for it: RootRepeal_1.1.2.rar

If still getting an error please try another browser.

[nosirrah]

rezipped

If this does not work I need to know what unzipping app you are using .

EDIT :

That was funny timing

Sorry for the toe stomping .

RootRepeal.zip

RootRepeal.zip

[srpad]

That file extracted fine for me. Try deleting all cache, temp, and cookies and try again.

Here is another link for it: RootRepeal_1.1.2.rar

If still getting an error please try another browser.

The .rar file worked. Here are the scans, thanks!

scans.zip

scans.zip

[AdvancedSetup]

Well what we would like to do is have you uninstall all the AVG software (at least temporarily)

and install Avira AntiVir Personal - FREE Antivirus

Update their product and do a Full Scan of your system and repair anything found.

Then disable or remove the AntiVir product and run the following.

Download and install
CCleaner
• CCleaner
  
  
  
• Double-click on the downloaded file "ccsetup212.exe" and install the application.
  
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
  
• Click finish when done and close
  ALL PROGRAMS
  
  
• Start the
  CCleaner
  program.
  
  
• Click on
  Registry
  and
  Uncheck
  Registry Integrity so that it does not run
  
  
• Click on
  Options
  -
  Advanced
  and
  Uncheck
  "Only delete files in Windows Temp folders older than 48 hours"
  
  
• Click back to
  Cleaner
  and click on the
  Run Cleaner
  button on the bottom right side of the program.
  
  
• Click OK to any prompts

  
  

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click
  Yes
  to allow ComboFix to continue scanning for malware.
  
  
• When the tool is finished, it will produce a report for you.
  
  
• Please post the
  C:\ComboFix.txt
  along with a
  new HijackThis log
  and the
  AntiVir log
  so we may continue cleaning the system.
  
  

[srpad]

Gosh, okay I will do this. It may take me a day or two. As aways thanks for your efforts.

[AdvancedSetup]

Just an FYI that you can click on the ADDREPLY instead of the REPLY and then it won't quote the entire previous message which is often un-needed.

Thanks.

[srpad]

Sorry about the quote. I also wanted to let you know I will be doing these steps in a few days and I will let you know what happens. Sorry for the delay. I was thinking of switching to that anti virus package anyway so this is the excuse I needed :-)

[AdvancedSetup]

Hi... Well we need you to work on this as soon as you can otherwise we will close this thread until you can work on it.

Sorry, but old topics create more work for us to keep up to date with so that we don't lose track of them, also the more time that goes by also increases the chance that the system will become infected with even more stuff and negating what we've already worked on.

Thanks.

[srpad]

Sorry for the delay. I will be doing this this evening and will post the logs etc.

[srpad]

I removed AVG and installed Avira. The scan seems to get stalled on a file called Tracking.Log The first scan stayed on this file for over an hour before I ended it. I rebooted and ran a second scan and it got stalled on that file again. The good news is the files the first scan found were no longer found in the second scan.

I haven't had a chance to run the Combofix yet but I wanted to post something tonight. So here is the first and second log form Avira:

First log:

Avira AntiVir Personal

Report file date: Wednesday, October 15, 2008 18:27

Scanning for 1686590 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: MAIN

Version information:

BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00

AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34

ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15

ANTIVIR2.VDF : 7.0.7.12 4066816 Bytes 10/8/2008 22:19:47

ANTIVIR3.VDF : 7.0.7.45 241664 Bytes 10/15/2008 22:19:49

Engineversion : 8.2.0.4

AEVDF.DLL : 8.1.0.6 102772 Bytes 10/15/2008 22:20:04

AESCRIPT.DLL : 8.1.1.8 319866 Bytes 10/15/2008 22:20:03

AESCN.DLL : 8.1.1.3 123252 Bytes 10/15/2008 22:20:02

AERDL.DLL : 8.1.1.2 438644 Bytes 10/15/2008 22:20:01

AEPACK.DLL : 8.1.2.4 369014 Bytes 10/15/2008 22:19:59

AEOFFICE.DLL : 8.1.0.28 196987 Bytes 10/15/2008 22:19:58

AEHEUR.DLL : 8.1.0.59 1438071 Bytes 10/15/2008 22:19:57

AEHELP.DLL : 8.1.1.2 115062 Bytes 10/15/2008 22:19:54

AEGEN.DLL : 8.1.0.41 319861 Bytes 10/15/2008 22:19:53

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 22:19:52

AECORE.DLL : 8.1.2.6 172406 Bytes 10/15/2008 22:19:51

AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 22:19:50

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 10/15/2008 22:19:49

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, F:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Wednesday, October 15, 2008 18:27

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned

Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned

Scan process 'CTDetect.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'CtHelper.exe' - '1' Module(s) have been scanned

Scan process 'MaxMenuMgr.exe' - '1' Module(s) have been scanned

Scan process 'lxbxcoms.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'ezprint.exe' - '1' Module(s) have been scanned

Scan process 'lxbxmon.exE' - '1' Module(s) have been scanned

Scan process 'mmtask.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'CTDVDDET.exe' - '1' Module(s) have been scanned

Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned

Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned

Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'SyncServices.exe' - '1' Module(s) have been scanned

Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned

Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

41 processes with 41 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'F:\'

[iNFO] No virus was found!

Starting to scan the registry.

C:\WINDOWS\SYSTEM32\cvzebzy.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK lib.

[NOTE] The file was moved to '4b47249a.qua'!

The registry was scanned ( '67' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\ARK5.tmp

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '49416f19.qua'!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\backups\backup-20081003-194530-398.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '49596f2a.qua'!

C:\backups\backup-20081003-194623-664.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '49596f2b.qua'!

C:\backups\backup-20081003-194708-497.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4828c11c.qua'!

C:\backups\backup-20081007-184128-700.dll

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '49596f2c.qua'!

End of the scan: Wednesday, October 15, 2008 20:41

Used time: 2:13:37 Hour(s)

The scan has been canceled!

8535 Scanning directories

387988 Files were scanned

6 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

6 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

387981 Files not concerned

4810 Archives were scanned

2 Warnings

6 Notes

Second one:

Avira AntiVir Personal

Report file date: Wednesday, October 15, 2008 21:03

Scanning for 1686590 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: MAIN

Version information:

BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00

AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34

ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15

ANTIVIR2.VDF : 7.0.7.12 4066816 Bytes 10/8/2008 22:19:47

ANTIVIR3.VDF : 7.0.7.45 241664 Bytes 10/15/2008 22:19:49

Engineversion : 8.2.0.4

AEVDF.DLL : 8.1.0.6 102772 Bytes 10/15/2008 22:20:04

AESCRIPT.DLL : 8.1.1.8 319866 Bytes 10/15/2008 22:20:03

AESCN.DLL : 8.1.1.3 123252 Bytes 10/15/2008 22:20:02

AERDL.DLL : 8.1.1.2 438644 Bytes 10/15/2008 22:20:01

AEPACK.DLL : 8.1.2.4 369014 Bytes 10/15/2008 22:19:59

AEOFFICE.DLL : 8.1.0.28 196987 Bytes 10/15/2008 22:19:58

AEHEUR.DLL : 8.1.0.59 1438071 Bytes 10/15/2008 22:19:57

AEHELP.DLL : 8.1.1.2 115062 Bytes 10/15/2008 22:19:54

AEGEN.DLL : 8.1.0.41 319861 Bytes 10/15/2008 22:19:53

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 22:19:52

AECORE.DLL : 8.1.2.6 172406 Bytes 10/15/2008 22:19:51

AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 22:19:50

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 10/15/2008 22:19:49

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, F:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Wednesday, October 15, 2008 21:03

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned

Scan process 'CTDetect.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'reader_sl.exe' - '1' Module(s) have been scanned

Scan process 'CtHelper.exe' - '1' Module(s) have been scanned

Scan process 'MaxMenuMgr.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'lxbxcoms.exe' - '1' Module(s) have been scanned

Scan process 'ezprint.exe' - '1' Module(s) have been scanned

Scan process 'lxbxmon.exE' - '1' Module(s) have been scanned

Scan process 'mmtask.exe' - '1' Module(s) have been scanned

Scan process 'sgtray.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'CTDVDDET.exe' - '1' Module(s) have been scanned

Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned

Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned

Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'SyncServices.exe' - '1' Module(s) have been scanned

Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned

Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

44 processes with 44 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'F:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '66' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

End of the scan: Wednesday, October 15, 2008 22:34

Used time: 1:30:57 Hour(s)

The scan has been canceled!

8535 Scanning directories

387986 Files were scanned

0 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

387985 Files not concerned

4810 Archives were scanned

1 Warnings

0 Notes

[srpad]

Here is the Combofix log:

ComboFix 08-10-15.05 - Scott P 2008-10-15 23:28:18.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1575 [GMT -4:00]

Running from: C:\Documents and Settings\Scott P\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Scott P\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

F:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))

.

2008-10-15 22:58 . 2008-10-15 23:19 4,958,588 --a------ C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-20061102}.BAK

2008-10-15 18:18 . 2008-10-15 18:18 <DIR> d-------- C:\Program Files\Avira

2008-10-15 18:18 . 2008-10-15 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-10-14 19:10 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys

2008-10-14 19:09 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe

2008-10-14 19:09 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe

2008-10-14 19:09 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe

2008-10-14 19:09 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe

2008-10-14 19:09 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-10-09 19:23 . 2008-10-09 20:19 <DIR> d-------- C:\RootRepeal_1.1.2

2008-10-07 18:50 . 2008-10-07 18:50 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

2008-10-03 20:16 . 2008-10-03 20:16 <DIR> d-------- C:\Program Files\CCleaner

2008-10-03 20:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl

2008-10-03 20:03 . 2008-10-03 20:04 <DIR> d-------- C:\Program Files\Java

2008-10-03 20:03 . 2008-10-03 20:03 <DIR> d-------- C:\Program Files\Common Files\Java

2008-09-25 18:35 . 2008-09-25 18:35 250 --a------ C:\WINDOWS\gmer.ini

2008-09-25 18:34 . 2008-09-25 18:34 <DIR> d-------- C:\gmer

2008-09-24 22:16 . 2008-10-15 22:48 <DIR> d-------- C:\backups

2008-09-20 21:49 . 2008-09-20 21:49 <DIR> d-------- C:\ProcessExplorer

2008-09-20 21:48 . 2008-09-20 21:48 <DIR> d-------- C:\Autoruns

2008-09-20 17:45 . 2008-09-22 19:54 <DIR> d-------- C:\VundoFix Backups

2008-09-16 21:41 . 2008-09-16 21:41 401,720 --a------ C:\srpad.exe

2008-09-16 18:17 . 2008-09-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-09-16 18:16 . 2008-09-16 18:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-09-16 18:16 . 2008-09-16 18:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-09-16 18:16 . 2008-09-16 18:16 <DIR> d-------- C:\Documents and Settings\Scott P\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-16 03:32 24,694,816 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-10-16 03:05 291,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-10-15 22:22 --------- d-----w C:\Program Files\Mozilla Thunderbird

2008-10-15 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7

2008-10-15 04:17 --------- d-----w C:\Program Files\ICQ

2008-10-14 23:33 --------- d-----w C:\Program Files\OCTGN

2008-10-14 01:02 --------- d-----w C:\Program Files\City of Heroes

2008-10-10 23:55 --------- d-----w C:\Program Files\Lx_cats

2008-10-07 22:49 --------- d-----w C:\Program Files\Common Files\Adobe

2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll

2008-09-27 02:24 --------- d-----w C:\Program Files\Unlocker

2008-09-18 22:33 --------- d-----w C:\Documents and Settings\Scott P\Application Data\SPORE

2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-09-14 21:09 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-09-14 21:08 --------- d-----w C:\Documents and Settings\Scott P\Application Data\Malwarebytes

2008-09-14 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-14 20:56 --------- d-----w C:\Documents and Settings\Scott P\Application Data\AVG7

2008-09-14 20:13 11,326,576 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip

2008-09-14 02:57 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-09-14 02:57 --------- d-----w C:\Program Files\Creative

2008-09-14 02:56 444,952 ----a-w C:\WINDOWS\SYSTEM32\wrap_oal.dll

2008-09-14 02:56 109,080 ----a-w C:\WINDOWS\SYSTEM32\OpenAL32.dll

2008-09-13 16:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-10 04:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-10 04:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys

2008-09-09 23:19 6,974 ----a-w C:\WINDOWS\SYSTEM32\ealregsnapshot1.reg

2008-09-09 23:07 --------- d-----w C:\Program Files\Electronic Arts

2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-09-08 00:31 --------- d-----w C:\Documents and Settings\Scott P\Application Data\SPORE Creature Creator

2008-09-06 15:57 --------- d-----w C:\Program Files\Agent

2008-08-27 08:24 3,593,216 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll

2008-08-26 22:35 --------- d-----w C:\Documents and Settings\Scott P\Application Data\IrfanView

2008-08-25 08:38 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe

2008-08-25 08:37 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe

2008-08-23 05:56 635,848 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe

2008-08-23 05:54 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll

2008-08-16 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor

2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe

2008-08-14 10:04 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys

2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe

2008-08-10 01:02 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll

2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll

2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll

2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe

2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe

2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll

2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll

2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll

2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll

2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll

2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll

2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll

2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll

2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll

2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll

2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 286720]

"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]

"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 196608]

"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 286720]

"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 61440]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\SYSTEM32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2008-06-27 C:\WINDOWS\SYSTEM32\CtHelper.exe]

C:\Documents and Settings\Scott P\Start Menu\Programs\Startup\

HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-07 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=

"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=

"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 lffycjtc;lffycjtc;C:\WINDOWS\system32\drivers\lffycjtc.sys [2004-08-04 23424]

R2 Maxtor Sync Service;Maxtor Service;C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 156976]

R3 COMMONFX.SYS;COMMONFX.SYS;C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 COMMONFX;COMMONFX;C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 99352]

S3 CTAUDFX;CTAUDFX;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTERFXFX;CTERFXFX;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]

S3 CTSBLFX;CTSBLFX;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ceagovhn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce077b1e-e23e-11dc-afe2-001111cbbb3f}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-10-12 C:\WINDOWS\Tasks\At1.job

- C:\WINDOWS\system32\rundll32.exe [2008-04-13 20:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll

BHO-{E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dll

HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

HKLM-Run-CTXFIREG - CTxfiReg.exe

HKU-Default-Run-AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll

ShellExecuteHooks-{CB0A0B68-3F3C-61D2-A901-8381E136D21A} - (no file)

Notify-hmbdkint - cvzebzy.dll

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Scott P\Application Data\Mozilla\Firefox\Profiles\x0x31l5m.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.yahoo.com/index.html

FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-15 23:31:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-10-15 23:33:39

ComboFix-quarantined-files.txt 2008-10-16 03:33:33

Pre-Run: 63,280,369,664 bytes free

Post-Run: 63,260,520,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2008-10-15 04:23:11

Here is a Hijackthis log ran after I rebooted after the combofix.exe:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:56:13 PM, on 10/15/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\lxbxcoms.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\srpad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dll (file missing)

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hmbdkint - cvzebzy.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--

End of file - 8643 bytes

[AdvancedSetup]

Thank you. Found a lot of stuff there that shouldn't be there.

Will get back to you some time tomorrow I'm hoping. The developers need to review and have time for updates as well.

[AdvancedSetup]

Let's run the following now that so much has been removed. You may still have something but we want to make sure that we're not chasing our tails on this.

Run MB and go to the UPDATE tab and update it again. Then run another Quick Scan and fix anything found and REBOOT

AFTER the reboot run HJT again and then post back both of those logs.

If we still have anything then I'm going to need you to run some other tools that can read everything that's being loaded so we can track it down to the parent cause.

[srpad]

Here is the MBAM Log. What is strange is MBAM still says that it finds the file cvzebzy.dll but I am sure this file was gone even before I ran the scan.

Malwarebytes' Anti-Malware 1.29

Database version: 1276

Windows 5.1.2600 Service Pack 3

10/17/2008 12:23:10 AM

mbam-log-2008-10-17 (00-23-10).txt

Scan type: Quick Scan

Objects scanned: 49931

Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{e7b34a56-1fd0-4af9-bbc9-b089dac5c6ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{1b2a198b-e7f1-4e02-a0c8-6e3743cf2dc6} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\lowbypdr (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\windows\system32\cvzebzy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

Here is the Hijack this scan done after a reboot:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:31:39 AM, on 10/17/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\lxbxcoms.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\srpad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6} - C:\DOCUME~1\SCOTTP~1\LOCALS~1\Temp\CmdLineExt03k.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED} - c:\windows\system32\cvzebzy.dll (file missing)

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: hmbdkint - cvzebzy.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--

End of file - 8524 bytes

[AdvancedSetup]

Are you comfortable running REGEDIT and CMD prompt tools or do you need guided assistance for running them?

[srpad]

Are you comfortable running REGEDIT and CMD prompt tools or do you need guided assistance for running them?

Yes I am familiar with both.

[AdvancedSetup]

Please try searching your entire Registry for these entries

CmdLineExt03k.dll

cvzebzy.dll

I would expect one to be here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and the other here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

but please search the entire registry for both.

Please post back if you do find them and the exact registry location they're found in.

Then if found try to manually delete these entries and report if there are errors trying to delete.

Then quit Regedit and wait about 1 minute and restart Regedit and try to locate them again.

Trying to determine if HJT is having issues removing these entries or if there is something really putting them back or not.

We show that the files have been added to MBAM and detected and disabled so that removal on reboot should be done and HJT should not be showing it anymore.

[srpad]

This is what I found:

CmdLineExt03k.dll

HKEY_CLASSES_ROOT\CLSID\{1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B2A198B-E7F1-4E02-A0C8-6E3743CF2DC6}\InprocServer32

cvzebzy.dll

HKEY_CLASSES_ROOT\CLSID\{E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7B34A56-1FD0-4AF9-BBC9-B089DAC5C6ED}\InprocServer32

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 (deleted)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll (deleted)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hmbdkint

I was able to delete the two noted above and they did not come back when I checked again after a few minutes. The others gave me an error saying "error deleting key" when I tried. Thank you again for your efforts.

[AdvancedSetup]

Okay that baby is a bit embedded eh!... Please run the following scans which should be able to tell us everything that is running, loading on the box.

DO NOT post these logs directly into your reply. Please attach them as some of them will be quite large.

Please run the following and then zip and ATTACH the logs. Do NOT post them directly into this thread due to their size.

STEP 01

Click on

START - RUN

and type in

SIGVERIF

and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.

• Click on
  START
  and let it run.
• It will popup a box when it's done to show the status, you can close that box.
  
  
• Close the
  File Signature Verification
  application.
  
  
• Find and attach the file C:\WINDOWS\
  SIGVERIF.TXT
  to your reply
  
  

STEP 02

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program

OTListIt.exe

to your desktop.

• Close all applications and windows so that you have nothing open and are at your Desktop
  
  
• Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
  
  
• Place a checkmark in the
  "Scan All Users"
  checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
  
  
• Click the Run Scan button
  
  
• NOTE:
  Please be patient and let the scan run without using the computer
  
  
• When the scan is complete, a text file (
  OTListIt.Txt
  ) will open in Notepad (if not, it can be found on your Desktop)
  
  
• In Notepad, click
  Edit
  ,
  Select all
  then
  Edit
  ,
  Copy
  
  
• Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
  
  
• Submit your reply and close the Notepad window with
  OTList.txt
  
  
• Also OTListIt's
  Extras.txt
  log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
  
  
• In Notepad, click
  Edit
  ,
  Select all
  then
  Edit
  ,
  Copy
  
  
• Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
  
  
• NOTE:
  If the files (
  OTListIt.txt, Extras.txt
  ) do not appear in your taskbar, just open the files in notepad from your desktop.

  
  

STEP 03

Please download the following scanning tool.

GMER

• Open the zip file and copy the file
  gmer.exe
  to your Desktop.
• Double click on
  gmer.exe
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the
  SCAN
  button and DO NOT use the computer while it's scanning.
  
  
• Once the scan is done click on the
  SAVE
  button and browse to your Desktop and save the file as
  GMER.LOG
  
  
• Zip up the
  GMER.LOG
  file and save it as
  gmerlog.zip
  and attach it to your reply post.
  
  
• DO NOT
  directly post this log into a reply. You
  MUST
  attach it as a .ZIP file.
  
  
• Click OK and quit the GMER program.
  
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

[AdvancedSetup]

Also, it looks like you're running some type of automated backup software. Maxtor? Please disable this for now so that we know it's not involved in auto restoring as well.

[AdvancedSetup]

Please take a look at removing some of the potential entries from here. It appears that HJT has trouble removing these entries.

start > control panel > Display (Display properties) > Desktop > Customize Desktop... > Web tab

Uncheck and delete everything you find in there. (except for "My current home page")

Let me know if you find unwanted stuff in there and if after you remove it if it comes back.

[srpad]

Also, it looks like you're running some type of automated backup software. Maxtor? Please disable this for now so that we know it's not involved in auto restoring as well.

There's some software installed that came with my external HD but it doesn't run.

[srpad]

Please take a look at removing some of the potential entries from here. It appears that HJT has trouble removing these entries.

start > control panel > Display (Display properties) > Desktop > Customize Desktop... > Web tab

Uncheck and delete everything you find in there. (except for "My current home page")

Let me know if you find unwanted stuff in there and if after you remove it if it comes back.

Checked this. The only entry I found was My current home page and it was unchecked. I will do the other steps as soon as I can. Thanks.

[AdvancedSetup]

There's some software installed that came with my external HD but it doesn't run.

The logs indicate that it does start when the PC starts.

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

It may not be doing anything except providing support for the 1 Touch Button, but since we're not sitting at the desk to operate it we're not sure. Just trying to cover all bases of what might be happening to your system.