Trojan.dropper.vundo.d

Hi!

I'm having a problem removing Trojan.Dropper.Vundo virus from my computer. I tried searching other people's postings but I'm having trouble following so I figured I'd start my own. I'm a good computer "user" but I'm terrible at the real technical stuff.

Here is the log from my scan. I was able to take care of everything (archived items) except this Vundo thing.

Any help would be greatly appreciated!!

Thank You!!

Tara

BitDefender Log File !!!!!

Product : BitDefender Total Security 2008

Version : BitDefender UIScanner v.11

Log date : 07:52:02 04/02/2008

Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1202129522_1_02.xml

Scan Paths:Path0000: C:\

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target selection options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : Yes

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target ProcessingDefault action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 978817

Archive plugins : 41

Email plugins : 6

Scan plugins : 12

Archive plugins : 41

System plugins : 4

Unpack plugins : 7

Overall scan summaryScanned items : 214790

Infected items : 20

Suspicious items : 0

Resolved items : 14

Individual viruses found : 12

Scanned directories : 7013

Scanned boot sectors : 2

Scanned archives : 3846

Input-output errors : 26

Scan time : 00:09:49:50

Files per second : 6

Scanned processes summaryScanned : 32

Infected : 0

Scanned registry keys summaryScanned : 315

Infected : 0

Scanned cookies summaryScanned : 1

Infected : 0

Remaining issues:Object Name Threat Name Final Status

C:\Documents and Settings\Tara\Local Settings\Temp\D12C4.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)

C:\Documents and Settings\Tara\Local Settings\Temp\D1B.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)

C:\Documents and Settings\Tara\Local Settings\Temp\D26D2.tmp=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)

C:\WINDOWS\system3200050.exe=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)

[system]=]HKEY_USERS\S-1-5-21-602162358-448539723-839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Dnec=]C:\PROGRA~1\FNTS~1\DLLHOST.EXE Trojan.Dropper.Vundo.D No action was possible

[system] Trojan.Dropper.Vundo.D No action was possible

Resolved issues:Object Name Threat Name Final Status

C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\Q7GNMDC7\CA6V49EN.htm Adware.SystemErrorFixer.A Deleted

C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\Q7GNMDC7\clean[1].htm Adware.SystemErrorFixer.A Deleted

C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\4V2GZ69K\popup[1].htm Trojan.Clicker.CM Deleted

C:\Program Files\Fоnts\dllhost .exe Trojan.Dropper.Vundo.D Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP22\A0000783.exe Trojan.Dropper.Vundo.D Deleted

C:\Documents and Settings\Tara\Local Settings\Temp\rmjbviix.exe Trojan.Fotomoto.H Deleted

C:\Documents and Settings\Tara\Local Settings\Temp\akpdgmhf.dll Trojan.Vundo.DVC Deleted

C:\Documents and Settings\Tara\Local Settings\Temp\ayukeyvx.dll Trojan.Vundo.DVC Deleted

C:\Documents and Settings\Tara\Local Settings\Temp\yyrhiaex.dll Trojan.Vundo.DWB Deleted

C:\WINDOWS\system32\pcadkveo.dll Trojan.Vundo.DXB Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP22\A0000780.dll Trojan.Vundo.DXS Deleted

C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\AP076DC1\ptch[1] Trojan.Vundo.DXU Deleted

C:\WINDOWS\system32\mirelgyv.dll Trojan.Vundo.DXU Deleted

C:\Documents and Settings\Tara\Local Settings\Temporary Internet Files\Content.IE5\4V2GZ69K\hctp[1] Trojan.Vundo.DXV Deleted

Find more posts tagged with

Comments

unknown

Hello!

From what I see in the log file, the malware file was deleted by BitDefender but the registry key remained. What you should try to do is open Registry Editor (Start/Run, type regedit.exe and hit Enter ) then navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, locate the "Dnec" value and delete it.

taralynne193

Thank You!

I followed the instructions but when I navigated to the "run" folder, there were only two items in the folder and neither showed "dnec value."

Here is a screen shot...

/applications/core/interface/file/attachment.php?id=1436" data-fileid="1436" rel="">Doc1.doc

Doc1.doc

farbar

Hi,

The malware is indeed removed, but there are some leftovers in the archives in the user TEMP folder.

You can try this to empty the folder:

1. Update BitDefender.

2. Reboot. then go to start-run- type %temp% in the run box-OK- in right panel highlight one of the files or folders, Ctrl+A to select all (it selects the hidden ones also), then Shift+Del to delete bypassing recycle bin. You have to this fast before some program starts updating. Otherwise you have to unhide the files and folders (start-control panel- folder options-view-check show hidden files and folders) and then remove files and folders that are not in use.

taralynne193

Hi,

I followed the above instructions but there was one file that I was unable to delete because it said it was in use by another program, but I couldn't find anything that was running it.

I did another scan with Bitdefender and here is the log. I also wanted to mention another problem I've been having (although I assume its probably related to this virus), any website I go to that has advertisements along the sides automatically switch to an add that says something like, my system is infected, perform a free scan... or something like that. There are a few variations but you can tell its not a legitimate error message, its some type of an ad. It causes the web page I'm on to constantly "load."

Thanks for the help! Its greatly appreciated!!

BitDefender Log File !!!!!

Product : BitDefender Total Security 2008

Version : BitDefender UIScanner v.11

Log date : 00:09:14 07/02/2008

Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1202360954_1_02.xml

Scan Paths:Path0000: C:\

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target selection options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : Yes

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target ProcessingDefault action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 979497

Archive plugins : 41

Email plugins : 6

Scan plugins : 12

Archive plugins : 41

System plugins : 4

Unpack plugins : 7

Overall scan summaryScanned items : 179802

Infected items : 22

Suspicious items : 0

Resolved items : 20

Individual viruses found : 7

Scanned directories : 6714

Scanned boot sectors : 2

Scanned archives : 3579

Input-output errors : 27

Scan time : 00:01:14:25

Files per second : 40

Scanned processes summaryScanned : 32

Infected : 0

Scanned registry keys summaryScanned : 315

Infected : 0

Scanned cookies summaryScanned : 1

Infected : 0

Remaining issues:Object Name Threat Name Final Status

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP26\A0001068.exe=](NSIS o)=]zlib_nsis0001 Adware.Purityscan.BH Delete Failed (file was in an archive)

[system]=]HKEY_USERS\S-1-5-21-602162358-448539723-839522115-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Dnec=]C:\PROGRA~1\FNTS~1\DLLHOST.EXE Trojan.Dropper.Vundo.D No action was possible

Resolved issues:Object Name Threat Name Final Status

C:\Program Files\Fоnts\dllhost.exe Trojan.Dropper.Vundo.D Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001030.exe Trojan.Dropper.Vundo.D Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001034.exe Trojan.Dropper.Vundo.D Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP26\A0001056.exe Trojan.Dropper.Vundo.D Deleted

C:\WINDOWS\system32\gebyv.exe Trojan.Dropper.Vundo.D Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0000972.dll Trojan.Vundo.DXZ Deleted

C:\WINDOWS\system32\mukhnhbe.dll Trojan.Vundo.DYE Deleted

C:\WINDOWS\system32\tcpisdcj.dll Trojan.Vundo.DYE Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001012.dll Trojan.Vundo.DYI Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP20\A0000684.dll Trojan.Vundo.Gen.2 Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP20\A0000688.dll Trojan.Vundo.Gen.2 Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0000995.dll Trojan.Vundo.Gen.2 Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP25\A0001026.dll Trojan.Vundo.Gen.2 Deleted

C:\System Volume Information\_restore{3098B25E-143F-4735-B418-EBC0C95D11C8}\RP6\A0000131.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\htftvcfc.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\kivcityr.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\lckulvtd.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\oqbtjacn.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\rcpaegqs.dll Trojan.Vundo.Gen.2 Deleted

C:\WINDOWS\system32\tcbjxthk.dll Trojan.Vundo.Gen.2 Deleted

farbar

Hi,

It seems you have a rouge product and a vundo infection, the Bitdefender removes the infection partly but it comes back again. I suggest you do the following:

Step 1.

Use one of these links to download the latest version of Smitfraudfix and save it to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

http://siri.geekstogo.com/SmitfraudFix.exe

Reboot your computer in Safe Mode (restart, before the Windows icon appears, tap the F8 key continually, and choose safe).

Double-click smitfraudfix.exe

Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Step 2.

You can download a Trend Micro Hijackthis installer from here:

http://www.trendsecure.com/portal/en-US/to...ckthis/download

Install it, run it and click Do a system scan and save a logfile.

Please post the content of the logfile and the Smitfraud log into your next reply.

taralynne193

I cannot thank you enough for your help!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:21:48 PM, on 2/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\?ymbols\?hkdsk.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O3 - Toolbar: iGamebar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD34} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [bMfb5a589f] Rundll32.exe "C:\WINDOWS\system32\mpjxvcpl.dll",s

O4 - HKCU\..\Run: [Cgdsn] "C:\Program Files\Common Files\?ymbols\?hkdsk.exe"

O4 - HKCU\..\Run: [Dnec] "C:\PROGRA~1\FNTS~1\dllhost.exe" -vt ndrv

O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

End of file - 4972 bytes

SmitFraudFix v2.281

Scan done at 21:52:26.90, Thu 02/07/2008

Run from C:\Documents and Settings\Tara\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted

C:\WINDOWS\Tasks\At??.job Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12

HKLM\SYSTEM\CS1\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12

HKLM\SYSTEM\CS3\Services\Tcpip\..\{2E65142F-00F9-4322-B566-7E9CABC1031C}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{455F4BE7-04A5-478F-91A1-9FA0ABD29EEF}: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3FB704D-7132-4862-AE95-26D46021871B}: DhcpNameServer=71.250.0.12 71.242.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.64.146 68.87.75.194

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

farbar

I suggest the following:

Step1.

Download ComboFix.exe to your desktop using this link:

bleepingcomputer
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme & then follow the prompts.

When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. If combofix.txt contains a long list of deleted pos*.tmp files remove all but a few pos.tmp from the log (leave a few from each directory so that I kan see where they were created) and then copy and paste the log.
ComboFix may need to reboot to finish its work. Let it.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.

Step 2.

Make and post a fresh HJT log too.

taralynne193

Thank you again!!

ComboFix 08-02.05.3 - Tara 2008-02-09 11:59:37.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.301 [GMT -5:00]

Running from: C:\Documents and Settings\Tara\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:15, on 2008-02-09

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {178CC096-4EF6-4975-9216-13BBFEE504B8} - C:\WINDOWS\system32\gebyv.dll (file missing)

O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

O2 - BHO: {cde6449a-da87-d269-1454-88370f453535} - {535354f0-7388-4541-962d-78ada9446edc} - C:\WINDOWS\system32\admkmbgs.dll (file missing)

O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD34} - (no file)

O4 - HKCU\..\Run: [Cgdsn] "C:\Program Files\Common Files\?ymbols\?hkdsk.exe"

O4 - HKCU\..\Run: [Dnec] "C:\PROGRA~1\FNTS~1\dllhost.exe" -vt ndrv

O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O20 - Winlogon Notify: mdwmui - mdwmui.dll (file missing)