Virus issues, Downloader, Trojan.Vundo, Trojan Horse

[queenbunnywitch]

Okay, for the past few days I've been having issues with these viruses. I have seen posts here before asking about how to get rid of the same things but since I have those 3 I don't know if there is a better way to do this.

I keep getting random pop ups. I tried downloading VundoFix but it keeps coming back of course. I ran Spybot Search & destroy and the same thing happens.

The Anti-Virus I'm using is Norton AntiVirus Corporate Edition Full version 7.60.926 if thats even necessary. It is up to date and the description it gives me for each one is..

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:37:08 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\CHER4DUR\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Sep 19 23:37:10 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\OTMJGPEZ\jaun_20070726[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\OTMJGPEZ
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:41:13 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\WLMJK1MF\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\WLMJK1MF
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:59:25 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\YJG7J0TO\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Thu Sep 20 00:01:59 2007


I really don't know what to do, help would be greatly appreciated.


okay now its saying

"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\byxxutr.dll
Location: C:\WINDOWS\system32
Computer: STARRSCOMPUTER
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thu Sep 20 00:15:34 2007"

ive tried deleting the byxxutr.dll file but it always says its busy.


i posted the same thing at another forum but no help, you guys are usually great so i decided to post here too.

[unlovedwarrior]

they are all in the temp files so try using ccleaner to remove them

then rescan


then have a read here and then here

and for the last one dl pocket killbox and check delete on reboot

[queenbunnywitch]

okay, im just waiting for my saviour pc registration to complete and ill download that stuff, thanks for your help.

i hope it works*fingers crossed* if it doesnt...ill be back

[unlovedwarrior]

you don't have to be a member but its a good idea. hope it helps

[queenbunnywitch]

well, i went to http://www.saviour-pc.com/forums/view.php?pg=malware_guide and all the links to stuff are blocked until my account is activated. They still havent sent me the email yet so i guess i should see about seeing if they can resend it.


okay okay, my n00b is showing, i needed  to check my junk inbox.

registration complete...now for the downloads of stuff.

[unlovedwarrior]

its ok. let us us know what it finds

[queenbunnywitch]

okay, i think everything deleted except for that pesky byxxutr.dll file. i tried it in killbox and killbox deleted the  rkcmiaiq.exe file so i know it works. when i tried deleting byxxutr.dll on reboot it gave me the error message "PendingFileRenameOperationsRegistryData has been Removed by External Process!" then the start menu went away and i had to restart with the task manager. any other suggestions?

[unlovedwarrior]

try this pick the link closest to you.  and also try this one (follow the instructions on this site and post the log it makes) both in safe mode and run them a couple of time to make sure it got all of it

[queenbunnywitch]

alright, im on it! thanks again, keep you posted!

[unlovedwarrior]

ok those should get it

[queenbunnywitch]

okay, both links sent me to the same thing...did i do something wrong? never the less i ran that VundoFix program in safe mode and got the log from C:\VundoFix.txt


VundoFix V6.5.8

Checking Java version...

Scan started at 11:08:15 PM 9/19/2007

Listing files found while scanning....

C:\windows\system32\dhnuwfxn.ini
C:\WINDOWS\system32\nxfwunhd.dll

Beginning removal...

 Attempting to delete C:\windows\system32\dhnuwfxn.ini
C:\windows\system32\dhnuwfxn.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\nxfwunhd.dll
C:\WINDOWS\system32\nxfwunhd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Scan started at 11:04:12 PM 9/21/2007

Listing files found while scanning....

C:\windows\system32\kxxekjqp.ini
C:\WINDOWS\system32\mfursams.dll
C:\windows\system32\pqjkexxk.dll

Beginning removal...

 Attempting to delete C:\windows\system32\kxxekjqp.ini
C:\windows\system32\kxxekjqp.ini Has been deleted!

 Attempting to delete C:\windows\system32\pqjkexxk.dll
C:\windows\system32\pqjkexxk.dll Has been deleted!

Performing Repairs to the registry.
Done!


That byxxutr.dll isnt in there and im still getting pop ups..should i run it in safe mode again?

[unlovedwarrior]

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Now reboot into Safe Mode.


This can be done tapping the F8 key as soon as you start your computer


You will be brought to a menu where you can choose to boot into safe mode.


Select safe mode with networking using your arrow keys on the keyboard and then press enter.


When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,


Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.


Exit when it has finished, and reboot back to normal mode.

then dl hijackthis and post a  log it might take more than one post

i got to go so if that doesn't work then hopefully another member can pick up where i left off

[queenbunnywitch]

thanks for all your help!

okay, went into safe mode with networking and ran that virtumundobegone file, followed the instructions and it forced me to reboot right away, then my computer restarted and this txt file was on my dest top.


[09/21/2007, 23:31:38] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\starrs crap\Desktop\VirtumundoBeGone.exe" )
[09/21/2007, 23:31:46] - Detected System Information:
[09/21/2007, 23:31:46] -  Windows Version: 5.1.2600, Service Pack 2
[09/21/2007, 23:31:46] -  Current Username: starrs crap (Admin)
[09/21/2007, 23:31:46] -  Windows is in SAFE mode.
[09/21/2007, 23:31:46] - Searching for Browser Helper Objects:
[09/21/2007, 23:31:46] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  No filename found. Continuing.
[09/21/2007, 23:31:46] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:46] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:46] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:46] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:46] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:46] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  No filename found. Continuing.
[09/21/2007, 23:31:46] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:46] -  BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:46] -  BHO 9: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  Checking for HKLM\...\Winlogon\Notify\byxxutr
[09/21/2007, 23:31:46] -  Found: HKLM\...\Winlogon\Notify\byxxutr - This is probably Virtumundo.
[09/21/2007, 23:31:46] -  Assigning {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} MSEvents Object
[09/21/2007, 23:31:46] - BHO list has been changed! Starting over...
[09/21/2007, 23:31:46] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  No filename found. Continuing.
[09/21/2007, 23:31:46] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:46] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:46] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:46] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:46] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:46] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  No filename found. Continuing.
[09/21/2007, 23:31:46] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:46] -  BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:46] -  BHO 9: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} (MSEvents Object)
[09/21/2007, 23:31:46] - ALERT: Found MSEvents Object!
[09/21/2007, 23:31:46] -  BHO 10: {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  Checking for HKLM\...\Winlogon\Notify\mkxxishd
[09/21/2007, 23:31:46] -  Key not found: HKLM\...\Winlogon\Notify\mkxxishd, continuing.
[09/21/2007, 23:31:46] -  BHO 11: {F8767C29-B0B3-4384-BFFA-1BBA8758B99E} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] -  Checking for HKLM\...\Winlogon\Notify\mllmm
[09/21/2007, 23:31:46] -  Key not found: HKLM\...\Winlogon\Notify\mllmm, continuing.
[09/21/2007, 23:31:46] - Finished Searching Browser Helper Objects
[09/21/2007, 23:31:46] - *** Detected MSEvents Object
[09/21/2007, 23:31:46] - Trying to remove MSEvents Object...
[09/21/2007, 23:31:47] -    Terminating Process: IEXPLORE.EXE
[09/21/2007, 23:31:47] -    Terminating Process: RUNDLL32.EXE
[09/21/2007, 23:31:48] -    Disabling Automatic Shell Restart
[09/21/2007, 23:31:48] -    Terminating Process: EXPLORER.EXE
[09/21/2007, 23:31:48] -    Suspending the NT Session Manager System Service
[09/21/2007, 23:31:48] -    Terminating Windows NT Logon/Logoff Manager
[09/21/2007, 23:31:48] -    Re-enabling Automatic Shell Restart
[09/21/2007, 23:31:48] -   File to disable: C:\WINDOWS\system32\byxxutr.dll
[09/21/2007, 23:31:48] -  Renaming C:\WINDOWS\system32\byxxutr.dll -> C:\WINDOWS\system32\byxxutr.dll.vir
[09/21/2007, 23:31:48] -  File successfully renamed!
[09/21/2007, 23:31:48] -   Removing HKLM\...\Browser Helper Objects\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] -   Removing HKCR\CLSID\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] -   Adding Kill Bit for ActiveX for GUID: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] -   Deleting ATLEvents/MSEvents Registry entries
[09/21/2007, 23:31:48] -   Removing HKLM\...\Winlogon\Notify\byxxutr
[09/21/2007, 23:31:48] - Searching for Browser Helper Objects:
[09/21/2007, 23:31:48] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] -  No filename found. Continuing.
[09/21/2007, 23:31:48] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:48] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:48] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:48] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:48] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:48] -  BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] -  No filename found. Continuing.
[09/21/2007, 23:31:48] -  BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:48] -  BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:48] -  BHO 9: {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] -  Checking for HKLM\...\Winlogon\Notify\mkxxishd
[09/21/2007, 23:31:48] -  Key not found: HKLM\...\Winlogon\Notify\mkxxishd, continuing.
[09/21/2007, 23:31:48] -  BHO 10: {F8767C29-B0B3-4384-BFFA-1BBA8758B99E} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] -  Checking for HKLM\...\Winlogon\Notify\mllmm
[09/21/2007, 23:31:48] -  Key not found: HKLM\...\Winlogon\Notify\mllmm, continuing.
[09/21/2007, 23:31:48] - Finished Searching Browser Helper Objects
[09/21/2007, 23:31:48] - Finishing up...
[09/21/2007, 23:31:48] - A restart is needed.
[09/21/2007, 23:32:00] - Attempting to Restart via STOP error (Blue Screen!)


and then a pop up box came up and said something about recovering from a serious error.

im going to go to hijackthis and post a log in a bit.

[queenbunnywitch]

okay heres my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:49:11 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\NavNT\bak\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A07C23E2-50F5-4C49-858D-684BE62D641F} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\mkxxishd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\gfqticvu.dll",sitypnow
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rkcmiaiq.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[CBMatt]

Nice work so far, unlovedwarrior.

queenbunnywitch,
Go ahead and give VundoFix another shot.  It sometimes takes a few tries to fully clear out the infection.  You should then address your HJT log...  Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {A07C23E2-50F5-4C49-858D-684BE62D641F} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\mkxxishd.dll

O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rkcmiaiq.exe (file missing)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

C:\WINDOWS\system32\mkxxishd.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\rkcmiaiq.exe

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log because there will probably be a few more things we need to address.