Info. found in this form helped. Wanted to record my experience in case it might be useful to others.
Symptom was follows. At startup (from power-down or log-in from power-up) McAffee virus shield would find a trojan and give a message like the following
"A trojan has been detected and cleaned! The file C:\WINNT\system32\vzmhe70cxod.dll was infected by the AdClicker-AF.dll trojan and has been deleted to complete the Clean process."
Problem was that this message happened at every power-up or log-in with hash-named dll changing name each time. McAfee was apparently finding a symptomatic dll and eliminating it but was not eliminating root of the problem. Commanding a McAfee scan after the start up would find nothing 99% of the time.
Read some entries at McAfee forums. Quite a few people had experienced similar problems with AdClicker-AF trojan, though symptoms were somewhat variable. Didn't see any simple recipe for eliminating the problem.
Then started to look elsewhere. Along the way I learned about HijackThis.exe and recorded a few logs. I'll show a couple here for context.
FIRST HijackThis LOG:
<deleted, apparently we're not allowed to post logs here.>
SECOND HijackThis LOG:
<deleted, apparently we're not allowed to post logs here.>
Problem with logs was that I don't know enough to interpret them reliably and also I wasn't sure whether they would really reveal the underlying problem. You can see from the 2 logs, separated in time, that I tried eliminating a few things. But that didn't help.
I then googled for "AdClicker-AF" and found this item
http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=47070&messageID=560135
which showed a HijackThis log entry as follows
O20 - AppInit_DLLs: w8c6s4xcm66s.dll
This alerted me to the notion of an "AppInit_DLL" which seemed related to
my problem. I googled again or "AppInit_DLL" and eventually found this
http://www.computing.net/security/wwwboard/forum/11527.html
of which the following entry was most helpful.
Name: steve1308
Date: May 11, 2004 at 17:07:10 Pacific
Subject: CWS Searchx
Apparently AppInit_DLLs execute at start up based on a registry key. The key can appear blank but may still have content. Deleting the key helps. But if you try a simple delete using regedit.exe it may not work. steve1308 described how it could keep coming back. What I found was that I simply could not delete it while running in normal mode. steve1308 suggested a trick to accomplish deletion. I tried simply:
restarting in safe mode;
starting regedit.exe;
attempting the delete.
That worked. I've tried a few restarts since then and McAfee is now finding nothing.
I still wonder if I have a garbage dll lying around somewhere. But at this point the worst symptom seems to have been eliminated.
