I've been spending over two hours trying to get this Vundo removed, so I guess I need help. The auto hijackthis site didn't say much in the way of what needs to be removed, but I noticed from previous posts of this trojan where to look. I do remove what appears to be the culprit, but it just keeps coming back.

Oh, and to make matters worse, when going into safe mode, explorer cannot stay open for any amount of time due to the stupid infection. I'd rather just reformat but if not necessary will try this first.

Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post the log located at C:Vundofix.txt.

Run Vungofix again

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:19 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Common Files\AOL\1181571558\ee\AOLSoftware.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O2 - BHO: (no name) - {6D55F78D-57E0-7A56-9975-02E12506D1B4} - C:\Program Files\Vecqznrh\easbtuzc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {FA3C3002-2705-4138-9965-14066D554591} - C:\WINDOWS\system32\mllmm.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181571558\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11782 bytes

combofix log:
ComboFix 07-08-30.3 - "annette" 2007-09-05 20:13:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.570 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\setup.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))

2007-09-05 20:12 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-05 20:03 <DIR> d-------- C:\VundoFix Backups
2007-09-05 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 02:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 00:57 92,416 --a--c--- C:\WINDOWS\system32\dllcache\mga.sys
2007-09-05 00:57 92,032 --a--c--- C:\WINDOWS\system32\dllcache\mga.dll
2007-09-05 00:57 85,504 --a--c--- C:\WINDOWS\system32\dllcache\metada51.dll
2007-09-05 00:57 8,320 --a--c--- C:\WINDOWS\system32\dllcache\memcard.sys
2007-09-05 00:57 47,616 --a--c--- C:\WINDOWS\system32\dllcache\memgrp.dll
2007-09-05 00:57 26,624 --a--c--- C:\WINDOWS\system32\dllcache\mdsync.dll
2007-09-05 00:57 26,112 --a--c--- C:\WINDOWS\system32\dllcache\memstpci.sys
2007-09-05 00:57 235,648 --a--c--- C:\WINDOWS\system32\dllcache\mgaud.dll
2007-09-05 00:57 <DIR> d-------- C:\WINDOWS\pss
2007-08-09 10:41 <DIR> d-------- C:\Program Files\Vecqznrh
2007-08-09 09:07 <DIR> d-------- C:\Program Files\vaxqdyfe
2007-08-08 15:58 1,732,187 --ahs---- C:\WINDOWS\system32\accdd.ini2
2007-08-07 11:08 1,732,360 --ahs---- C:\WINDOWS\system32\accdd.bak2
2007-08-06 22:33 6,447 --ahs---- C:\WINDOWS\system32\accdd.bak1
2007-08-06 21:34 1,732,131 --ahs---- C:\WINDOWS\system32\kmllm.ini2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 0rogram Files\Common Files\Symantec Shared
2007-09-05 0OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-05 0rogram Files\Trend Micro
2007-08-19 1rogram Files\Norton 360
2007-08-08 1rogram Files\Lexmark 1200 Series
2007-08-06 21:34 1738459 --ahs---- C:\WINDOWS\system32\kmllm.bak2
2007-08-06 21:22 1733673 --ahs---- C:\WINDOWS\system32\kmllm.bak1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-18 21:44 1051215 --ahs---- C:\WINDOWS\system32\gckvdjbe.ini2
2007-07-17 12:21 186256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-06-29 07:48 1845739 --ahs---- C:\WINDOWS\system32\sttss.ini2
2007-06-29 07:33 1853670 --ahs---- C:\WINDOWS\system32\sttss.bak2
2007-06-27 15:30 1857773 --ahs---- C:\WINDOWS\system32\sttss.bak1
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-22 10:38 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2005-10-14 13:21 102400 --a------ C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D55F78D-57E0-7A56-9975-02E12506D1B4}]
2007-08-09 10:41 106496 --a------ C:\Program Files\Vecqznrh\easbtuzc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA3C3002-2705-4138-9965-14066D554591}]
C:\WINDOWS\system32\mllmm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-04-05 14:21]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-04-05 14:21]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-04-05 14:21]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-11-17 23:47]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"SkyTel"="SkyTel.EXE" [2006-05-16 21:04 C:\WINDOWS\SkyTel.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 17:21]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 18:17]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 17:12]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 00:36]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 15:11]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2006-06-01 20:55]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2005-06-13 18:42]
"HostManager"="C:\Program Files\Common Files\AOL\1181571558\ee\AOLSoftware.exe" [2006-04-13 16:36]
"PartSeal"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 03:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-14 23:10]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2007-06-11 09:59 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2006-06-20 19:11 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vaxqdyfe]
rundll32.exe "C:\Program Files\vaxqdyfe\roxstghg.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yhypghyz.exe]
C:\Documents and Settings\All Users\Application Data\yhypghyz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB

*Newly Created Service* - COMHOST

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 20:29:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 20:30:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 20:30

--- E O F ---

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Files to delete:
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\accdd.bak2
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\gckvdjbe.ini2
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.bak2
C:\WINDOWS\system32\sttss.bak1
C:\Program Files\Vecqznrh\easbtuzc.dll

Folders to delete:
C:\Program Files\Vecqznrh
C:\Program Files\vaxqdyfe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Download “Winhelp2002's “ domain cleaner from this link DelDomains.inf

To execute this file right click the desktop icon and select Install from the menu.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Run Hijack This, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {6D55F78D-57E0-7A56-9975-02E12506D1B4} - C:\Program Files\Vecqznrh\easbtuzc.dll

O2 - BHO: (no name) - {FA3C3002-2705-4138-9965-14066D554591} - C:\WINDOWS\system32\mllmm.dll (file missing)

O15 - Trusted Zone: http://*.trymedia.com (HKLM)(Should be gone)

Exit Hijack This

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Then post the AVG report and a new Hijack This log.

Let us know how the computer is operating.

Looks good. After removing the browser helper reg entries things went back to normal. Removed some other trojans as well via AVG antispyware, showing how inept Symantec is.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.