Help removing Winlogon notify entries

I am attempting to cleanup a PC that was badly infected with viruses, trojans, and various malware. Actually, the process has gone quite well and nearly everything has been restored/cleaned. I've run all the cleanup software (Ad-aware, Spybot S&D, etc.), and have Microsoft Anti-spyware current and running (no items detected during daily scans), have upgraded to SP2 and have the firewall running, have Norton Antivirus 2005 installed and up-to-date (no items detected during daily scans), etc . However, there are three entries in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify that simply won't go away. If I delete them manually with Regedit, or with HijackThis, they immediately come back. Obviously, something running on the system is restoring them. This even happens in Safe Mode. The entries all point to non-existant .dat files named the reverse of the entry names (e.g., mocitna.dat for anticom, sarlld.dat for dllras, etc.). I have verified (repeatedly) that the .dat files don't exist, but cannot get these entries to stop generating. At this point, I'm not sure it's doing any harm, but I'd like to sort it out just to make sure the system is clean. The other entries in Hijackthis (v1.99.1) seem okay, but these three are the ones that won't go away:

O20 - Winlogon Notify: anticom - C:\DOCUME~1\SANDRA\LOCALS~1\Temp\mocitna.dat
O20 - Winlogon Notify: dllras - C:\DOCUME~1\SANDRA\LOCALS~1\Temp\sarlld.dat
O20 - Winlogon Notify: infodrv - C:\DOCUME~1\SANDRA\LOCALS~1\Temp\vrdofni.dat

Any help you can provide would be greatly appreciated. Thanks!

 

Oh, by the way, I know this smells like Vundo, but none of the CATLEvents BHO's or RUN entries are there. The only keys that show up in Hijackthis are the three I listed in my post. It may be a partial Vundo infection (in which case, I hope I somewhat neutered it), but I can't root out this last bit...

 

Yep! The Symantec tool didn't find the virus (I ran both in regular mode and safe mode), and the other steps I tried (I didn't try ALL the older solutions yet) did do the trick either. I am running ewido now. In normal mode it found lots of stuff, but upon reboot I'm now getting attempted changes to my registry (start page redirects, changes to local zone, etc.). I am rebooting into safe mode and trying ewido again...

 

To make a long story short... When I ran ewido in normal mode it found a bunch of stuff, including the "hidden" files referenced by the Winlogon Notify entries (though they were still in the registry). After running ewido in safe mode (second time) and finding nothing, I did a normal reboot only to have a bunch of stuff try to re-insert itself (IBIS Toolbar, Huntbar, 180Solutions...) -- but MS anti-spyware caught and deleted it all (supposedly). I went back into safe mode and ran all the various tools I've got (cwshredder, stringer, kill2me, about:Buster, HSremove, Spybot S&D, Ad-aware, ewido, and MS anti-spyware). Except for some minor tracking cookies, everything came up clean. I did a normal reboot and IBIS and Huntbar tried to install again. MS Anti-spyware said it deleted them. I did another Ad-aware/Spybot/Anti-spyware pass and came up clean so I rebooted and this time no alarms. I rebooted again and everything SEEMS to be clean.

So, as of now, it seems like ewido took care of the remaining Vundo stuff and the various other tools managed to clean everything else (I hope). I am attaching the latest Hijack log for your expert opinion... =o)

 

Thanks. I'm still chasing down one last item... Periodically, when I reboot or log in as a different user (there are four accounts on this PC), either Search3 Search Bar or IBIS Toolbar tries to get installed upon startup. MS Anti-spyware always catches and cleans it, but I can't figure out where it's coming from. Subsequent scans with Norton 2005, MS Anti-spyware, Spybot S&D, Ad-aware, and ewido all come up clean. Any ideas what infected component may still be trying to install these?

 

Okay, the problem *seems* to be random, though it occurs with one account more than the others, so I'll start with that one. I can cycle through the accounts, logging out, then back into a different account several times without incident, then one time I'll get notified by MS Anti-spyware that something is trying to get installed (IBIS and 180solutions being the most common). I block the attempt and scan, but nothing else comes up (even with I double check with Norton, ewido, Spybot and Ad-aware). Then, it'll work fine for a while and sometime later, as I log into a different account, it'll pop up again.

Anyway, here's the HJT log for the last account that was affected (see attached)... Thanks for your assistance.

Oh, by the way, this is not the same PC as another problem I've been posting about. Two different PCs, two different problems. I didn't mean to cause any confusion... =o)