A Virus Was Found!

[Spiritsongs]

   Hi Andrew :

      Assuming you have the "aml" version of the Delf "infection", as stated by
      4 antivirus Scanners in the VirusTotal Report, I have seen several
      Malware fighters on different Support Forums recommend the use of the
      program @ http://users.telenet.be/marcvn/tools/win32delfkil.exe . This
      possibly will "work" IF you have an "older" version of Delf .
      On 1 of the Forums where the Poster had "c:\cp1041.nls", similar to you,
      the Forum Moderator & Malware fighter recommended to "reformat &
      reinstall", which is similar to what was recommended by the Microsoft
      Most Valuable Professional on the Aumha.net Forums .

[oldman]

Hi Spiritsongs

Yes, it could come to that, just seeing what we can shake loose.

[naturallygay]

The new combofix log
ComboFix 07-12-02.7 - End User 2007-12-06 12:23:41.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.536 [GMT -5:00]
Running from: C:\Documents and Settings\End User\My Documents\AndrewI.exe
.

(((((((((((((((((((((((((   Files Created from 2007-11-06 to 2007-12-06  )))))))))))))))))))))))))))))))
.

2007-12-04 12:56 . 2007-12-04 12:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-04 12:55 . 2007-12-04 17:07   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-12-04 12:55 . 2007-12-04 12:55   <DIR>   d--------   C:\Documents and Settings\End User\Application Data\SUPERAntiSpyware.com
2007-12-04 12:40 . 2007-12-04 12:40   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-04 12:21 . 2007-12-04 12:21   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-04 12:21 . 2007-12-04 12:21   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-04 12:19 . 2007-10-18 00:16   79,688   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-04 12:19 . 2007-10-18 00:15   62,280   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-04 12:19 . 2007-10-18 00:14   41,288   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-04 12:19 . 2007-10-18 00:16   29,000   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2007-12-04 12:18 . 2007-12-06 12:14   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-12-04 12:18 . 2007-12-04 12:18   <DIR>   d--------   C:\Documents and Settings\End User\Application Data\PC Tools
2007-12-04 12:18 . 2005-09-23 08:29   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-11-30 14:53 . 2007-11-30 16:25   <DIR>   d--------   C:\suspect
2007-11-30 14:53 . 2007-11-30 14:53   <DIR>   d--------   C:\Documents and Settings\End User\Application Data\Grisoft
2007-11-30 14:52 . 2007-11-30 14:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 14:52 . 2007-05-30 07:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 17:54   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-11-15 01:47   ---------   d-----w   C:\Documents and Settings\End User\Application Data\Xfire
2007-11-11 19:39   58,032   ----a-w   C:\Documents and Settings\End User\Application Data\GDIPFONTCACHEV1.DAT
2007-10-28 01:20   ---------   d-----w   C:\Program Files\SwiftSwitch
2007-10-25 12:55   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SwiftSwitch
2007-10-23 16:39   ---------   d-----w   C:\Program Files\Java
2007-10-22 15:43   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-10-22 15:43   ---------   d-----w   C:\Program Files\Acclaim
2007-10-21 14:55   ---------   d-----w   C:\Documents and Settings\End User\Application Data\Snapfish
2007-10-19 17:09   ---------   d-----w   C:\Program Files\World of Warcraft
2007-10-09 00:05   ---------   d-s---w   C:\Program Files\Xfire
2004-10-01 20:00   40,960   ----a-w   C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-04_17.22.47.18   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-06 16:54:59   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_664.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 08:42]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 20:07 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-02-13 08:05 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 20:07 C:\WINDOWS\system32\rundll32.exe]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 02:08 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-08 04:00]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 19:34]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

C:\Documents and Settings\End User\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-10-02 18:56:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-31 12:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 12:27:43
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 12:29:32
C:\ComboFix2.txt ... 2007-12-06 12:17
C:\ComboFix3.txt ... 2007-12-04 18:30
.
   --- E O F ---

[oldman]

Well other than the 3 vundo files, the log is the same as your first.

Whatever is there is very well hidden.

We'' see if we can come up with something else.

[essexboy]

 Lets do a deep search of your processes and files and see if that can find it

• Download avz4en.zip from here
     
  
• Save it to your desktop and unzip it to a folder on your desktop.   
• Double click on AVZ.exe to run it.
• On the search range tab select ALL drives that are connected by placing a tick alongside them.
     
  
• Choose from the menu "File" => "System Investigation"
  
  
• Close all windows except for AVZ.
     
  
• Click on "Start" and save the report to your desktop.
• Let the scan run and click "No" on the right when it asks you if you want to view it.
• Upload the report you saved on your desktop onto this site in your next reply.
• The report is called avz sysinfo.htm
  
  
• Ensure that when you upload the file that in the attachment drop down box the file type is set to HTM.