Author Topic: Virus issues, Downloader, Trojan.Vundo, Trojan Horse (Read 31899 times)

queenbunnywitch · « **on:** September 20, 2007, 09:54:56 PM »

Okay, for the past few days I've been having issues with these viruses. I have seen posts here before asking about how to get rid of the same things but since I have those 3 I don't know if there is a better way to do this.

I keep getting random pop ups. I tried downloading VundoFix but it keeps coming back of course. I ran Spybot Search & destroy and the same thing happens.

The Anti-Virus I'm using is Norton AntiVirus Corporate Edition Full version 7.60.926 if thats even necessary. It is up to date and the description it gives me for each one is..

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:37:08 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\CHER4DUR\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Sep 19 23:37:10 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\OTMJGPEZ\jaun_20070726[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\OTMJGPEZ
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:41:13 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\WLMJK1MF\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\WLMJK1MF
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:59:25 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\YJG7J0TO\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Thu Sep 20 00:01:59 2007

I really don't know what to do, help would be greatly appreciated.

okay now its saying

"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\byxxutr.dll
Location: C:\WINDOWS\system32
Computer: STARRSCOMPUTER
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thu Sep 20 00:15:34 2007"

ive tried deleting the byxxutr.dll file but it always says its busy.

i posted the same thing at another forum but no help, you guys are usually great so i decided to post here too.

unlovedwarrior · « **Reply #1 on:** September 20, 2007, 10:10:49 PM »

they are all in the temp files so try using ccleaner to remove them

then rescan

then have a read here and then here

and for the last one dl pocket killbox and check delete on reboot

queenbunnywitch · « **Reply #2 on:** September 21, 2007, 05:31:43 PM »

okay, im just waiting for my saviour pc registration to complete and ill download that stuff, thanks for your help.

i hope it works*fingers crossed* if it doesnt...ill be back

unlovedwarrior · « **Reply #3 on:** September 21, 2007, 05:47:45 PM »

you don't have to be a member but its a good idea. hope it helps

queenbunnywitch · « **Reply #4 on:** September 21, 2007, 06:01:39 PM »

well, i went to http://www.saviour-pc.com/forums/view.php?pg=malware_guide and all the links to stuff are blocked until my account is activated. They still havent sent me the email yet so i guess i should see about seeing if they can resend it.

okay okay, my n00b is showing, i needed to check my junk inbox.

registration complete...now for the downloads of stuff.

unlovedwarrior · « **Reply #5 on:** September 21, 2007, 06:13:53 PM »

its ok. let us us know what it finds

queenbunnywitch · « **Reply #6 on:** September 21, 2007, 08:54:47 PM »

okay, i think everything deleted except for that pesky byxxutr.dll file. i tried it in killbox and killbox deleted the rkcmiaiq.exe file so i know it works. when i tried deleting byxxutr.dll on reboot it gave me the error message "PendingFileRenameOperationsRegistryData has been Removed by External Process!" then the start menu went away and i had to restart with the task manager. any other suggestions?

unlovedwarrior · « **Reply #7 on:** September 21, 2007, 09:08:52 PM »

try this pick the link closest to you. and also try this one (follow the instructions on this site and post the log it makes) both in safe mode and run them a couple of time to make sure it got all of it

queenbunnywitch · « **Reply #8 on:** September 21, 2007, 09:54:00 PM »

alright, im on it! thanks again, keep you posted!

unlovedwarrior · « **Reply #9 on:** September 21, 2007, 09:54:47 PM »

ok those should get it

queenbunnywitch · « **Reply #10 on:** September 21, 2007, 10:19:11 PM »

okay, both links sent me to the same thing...did i do something wrong? never the less i ran that VundoFix program in safe mode and got the log from C:\VundoFix.txt

VundoFix V6.5.8

Checking Java version...

Scan started at 11:08:15 PM 9/19/2007

Listing files found while scanning....

C:\windows\system32\dhnuwfxn.ini
C:\WINDOWS\system32\nxfwunhd.dll

Beginning removal...

Attempting to delete C:\windows\system32\dhnuwfxn.ini
C:\windows\system32\dhnuwfxn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nxfwunhd.dll
C:\WINDOWS\system32\nxfwunhd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Scan started at 11:04:12 PM 9/21/2007

Listing files found while scanning....

C:\windows\system32\kxxekjqp.ini
C:\WINDOWS\system32\mfursams.dll
C:\windows\system32\pqjkexxk.dll

Beginning removal...

Attempting to delete C:\windows\system32\kxxekjqp.ini
C:\windows\system32\kxxekjqp.ini Has been deleted!

Attempting to delete C:\windows\system32\pqjkexxk.dll
C:\windows\system32\pqjkexxk.dll Has been deleted!

Performing Repairs to the registry.
Done!

That byxxutr.dll isnt in there and im still getting pop ups..should i run it in safe mode again?

unlovedwarrior · « **Reply #11 on:** September 21, 2007, 10:24:47 PM »

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Now reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer

You will be brought to a menu where you can choose to boot into safe mode.

Select safe mode with networking using your arrow keys on the keyboard and then press enter.

When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

Exit when it has finished, and reboot back to normal mode.

then dl hijackthis and post a log it might take more than one post

i got to go so if that doesn't work then hopefully another member can pick up where i left off

queenbunnywitch · « **Reply #12 on:** September 21, 2007, 10:38:02 PM »

thanks for all your help!

okay, went into safe mode with networking and ran that virtumundobegone file, followed the instructions and it forced me to reboot right away, then my computer restarted and this txt file was on my dest top.

[09/21/2007, 23:31:38] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\starrs crap\Desktop\VirtumundoBeGone.exe" )
[09/21/2007, 23:31:46] - Detected System Information:
[09/21/2007, 23:31:46] - Windows Version: 5.1.2600, Service Pack 2
[09/21/2007, 23:31:46] - Current Username: starrs crap (Admin)
[09/21/2007, 23:31:46] - Windows is in SAFE mode.
[09/21/2007, 23:31:46] - Searching for Browser Helper Objects:
[09/21/2007, 23:31:46] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - No filename found. Continuing.
[09/21/2007, 23:31:46] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:46] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:46] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:46] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:46] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:46] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - No filename found. Continuing.
[09/21/2007, 23:31:46] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:46] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:46] - BHO 9: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - Checking for HKLM\...\Winlogon\Notify\byxxutr
[09/21/2007, 23:31:46] - Found: HKLM\...\Winlogon\Notify\byxxutr - This is probably Virtumundo.
[09/21/2007, 23:31:46] - Assigning {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} MSEvents Object
[09/21/2007, 23:31:46] - BHO list has been changed! Starting over...
[09/21/2007, 23:31:46] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - No filename found. Continuing.
[09/21/2007, 23:31:46] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:46] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:46] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:46] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:46] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:46] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - No filename found. Continuing.
[09/21/2007, 23:31:46] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:46] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:46] - BHO 9: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} (MSEvents Object)
[09/21/2007, 23:31:46] - ALERT: Found MSEvents Object!
[09/21/2007, 23:31:46] - BHO 10: {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - Checking for HKLM\...\Winlogon\Notify\mkxxishd
[09/21/2007, 23:31:46] - Key not found: HKLM\...\Winlogon\Notify\mkxxishd, continuing.
[09/21/2007, 23:31:46] - BHO 11: {F8767C29-B0B3-4384-BFFA-1BBA8758B99E} ()
[09/21/2007, 23:31:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:46] - Checking for HKLM\...\Winlogon\Notify\mllmm
[09/21/2007, 23:31:46] - Key not found: HKLM\...\Winlogon\Notify\mllmm, continuing.
[09/21/2007, 23:31:46] - Finished Searching Browser Helper Objects
[09/21/2007, 23:31:46] - *** Detected MSEvents Object
[09/21/2007, 23:31:46] - Trying to remove MSEvents Object...
[09/21/2007, 23:31:47] - Terminating Process: IEXPLORE.EXE
[09/21/2007, 23:31:47] - Terminating Process: RUNDLL32.EXE
[09/21/2007, 23:31:48] - Disabling Automatic Shell Restart
[09/21/2007, 23:31:48] - Terminating Process: EXPLORER.EXE
[09/21/2007, 23:31:48] - Suspending the NT Session Manager System Service
[09/21/2007, 23:31:48] - Terminating Windows NT Logon/Logoff Manager
[09/21/2007, 23:31:48] - Re-enabling Automatic Shell Restart
[09/21/2007, 23:31:48] - File to disable: C:\WINDOWS\system32\byxxutr.dll
[09/21/2007, 23:31:48] - Renaming C:\WINDOWS\system32\byxxutr.dll -> C:\WINDOWS\system32\byxxutr.dll.vir
[09/21/2007, 23:31:48] - File successfully renamed!
[09/21/2007, 23:31:48] - Removing HKLM\...\Browser Helper Objects\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] - Removing HKCR\CLSID\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] - Adding Kill Bit for ActiveX for GUID: {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}
[09/21/2007, 23:31:48] - Deleting ATLEvents/MSEvents Registry entries
[09/21/2007, 23:31:48] - Removing HKLM\...\Winlogon\Notify\byxxutr
[09/21/2007, 23:31:48] - Searching for Browser Helper Objects:
[09/21/2007, 23:31:48] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] - No filename found. Continuing.
[09/21/2007, 23:31:48] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2007, 23:31:48] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2007, 23:31:48] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2007, 23:31:48] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[09/21/2007, 23:31:48] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2007, 23:31:48] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] - No filename found. Continuing.
[09/21/2007, 23:31:48] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2007, 23:31:48] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/21/2007, 23:31:48] - BHO 9: {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] - Checking for HKLM\...\Winlogon\Notify\mkxxishd
[09/21/2007, 23:31:48] - Key not found: HKLM\...\Winlogon\Notify\mkxxishd, continuing.
[09/21/2007, 23:31:48] - BHO 10: {F8767C29-B0B3-4384-BFFA-1BBA8758B99E} ()
[09/21/2007, 23:31:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2007, 23:31:48] - Checking for HKLM\...\Winlogon\Notify\mllmm
[09/21/2007, 23:31:48] - Key not found: HKLM\...\Winlogon\Notify\mllmm, continuing.
[09/21/2007, 23:31:48] - Finished Searching Browser Helper Objects
[09/21/2007, 23:31:48] - Finishing up...
[09/21/2007, 23:31:48] - A restart is needed.
[09/21/2007, 23:32:00] - Attempting to Restart via STOP error (Blue Screen!)

and then a pop up box came up and said something about recovering from a serious error.

im going to go to hijackthis and post a log in a bit.

queenbunnywitch · « **Reply #13 on:** September 21, 2007, 10:51:36 PM »

okay heres my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:49:11 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\NavNT\bak\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A07C23E2-50F5-4C49-858D-684BE62D641F} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\mkxxishd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\gfqticvu.dll",sitypnow
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rkcmiaiq.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

CBMatt · « **Reply #14 on:** September 22, 2007, 05:25:59 AM »

Nice work so far, unlovedwarrior.

queenbunnywitch,
Go ahead and give VundoFix another shot. It sometimes takes a few tries to fully clear out the infection. You should then address your HJT log... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {A07C23E2-50F5-4C49-858D-684BE62D641F} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\mkxxishd.dll

O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rkcmiaiq.exe (file missing)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following file(s) if present...

C:\WINDOWS\system32\mkxxishd.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\rkcmiaiq.exe

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log because there will probably be a few more things we need to address.

queenbunnywitch · « **Reply #15 on:** September 22, 2007, 05:22:40 PM »

okay, i did most of that.

i couldnt delete the mllmm.dll file, it was giving me the same message when i tried deleting the byxxutr.dll file. the desktop kept disappearing and it wouldnt give me enough time to try to delete it in the actual folder itself so i tried it in killbox and thats where i got the message.

everything in hjt you told me to delete is gone except for
O2 - BHO: (no name) - {A07C23E2-50F5-4C49-858D-684BE62D641F} - C:\WINDOWS\system32\mllmm.dll

heres my log

Logfile of HijackThis v1.99.1
Scan saved at 6:11:06 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {055DE62A-25B5-4469-BF90-968C8FBE2B35} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\rcwoawin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\yyufegna.dll",sitypnow
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

CBMatt · « **Reply #16 on:** September 23, 2007, 04:14:57 AM »

You tried VundoFix again? If it's not getting rid of the infection, then you can try to download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

queenbunnywitch · « **Reply #17 on:** September 23, 2007, 04:48:54 PM »

yeah, i did everything you said in the order in which it was described...i just couldnt delete that file.

ill try combofix hopefully thatll work, thanks for your help!

queenbunnywitch · « **Reply #18 on:** September 23, 2007, 05:01:52 PM »

i tried to run combofix and this happened...

i dunno whats up with that pop up but it only came up when trying to run combofix.

queenbunnywitch · « **Reply #19 on:** September 24, 2007, 01:00:02 AM »

okay i tried combofix again and this is the log it generated

ComboFix 07-09-21.2 - "starrs crap" 2007-09-24 1:47:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.238 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\User\Desktop\internet.lnk
C:\Program Files\WinBudget
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\system32\acorwuct.exe
C:\WINDOWS\system32\ampybobd.exe
C:\WINDOWS\system32\arkhrimt.exe
C:\WINDOWS\system32\begniggx.exe
C:\WINDOWS\system32\bffjlwxe.exe
C:\WINDOWS\system32\cyaiemlt.exe
C:\WINDOWS\system32\ddsxylos.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\bcm43xx.cat
C:\WINDOWS\system32\driver\RNDISMP.sys
C:\WINDOWS\system32\driver\RNDISMPK.sys
C:\WINDOWS\system32\driver\usb8023.sys
C:\WINDOWS\system32\driver\usb8023k.sys
C:\WINDOWS\system32\ehfcowka.exe
C:\WINDOWS\system32\ehimbgjo.exe
C:\WINDOWS\system32\fpypyjjh.exe
C:\WINDOWS\system32\ftmxmvar.ini
C:\WINDOWS\system32\fuoryjrp.exe
C:\WINDOWS\system32\iekvjokh.exe
C:\WINDOWS\system32\ilhynaqo.exe
C:\WINDOWS\system32\jcbumtyh.dll
C:\WINDOWS\system32\leosjlam.exe
C:\WINDOWS\system32\lqvljwfc.exe
C:\WINDOWS\system32\mgciijwt.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini2
C:\WINDOWS\system32\mmllm.tmp
C:\WINDOWS\system32\qfjdgdkc.exe
C:\WINDOWS\system32\ravmxmtf.dll
C:\WINDOWS\system32\ripddejx.exe
C:\WINDOWS\system32\rqfsrtbp.exe
C:\WINDOWS\system32\rrnyvyrx.ini
C:\WINDOWS\system32\rsplwsxs.exe
C:\WINDOWS\system32\sqqetqsb.exe
C:\WINDOWS\system32\twjiicgm.ini
C:\WINDOWS\system32\vwkmnvao.exe
C:\WINDOWS\system32\wfyfdcei.exe
C:\WINDOWS\system32\xcxivlig.exe
C:\WINDOWS\system32\xryvynrr.dll
C:\WINDOWS\system32\yjgpmuvw.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-23 17:51   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-09-23 17:39   85,568   --a------   C:\WINDOWS\system32\yaabdhcs.dll
2007-09-21 23:42   <DIR>   d--------   C:\Program Files\analyse
2007-09-21 21:27   87,616   --a------   C:\WINDOWS\system32\kmclfijb.dll
2007-09-21 21:24   <DIR>   d--------   C:\!KillBox
2007-09-21 19:50   87,616   --a------   C:\WINDOWS\system32\pgrahpun.dll
2007-09-21 19:21   <DIR>   d--------   C:\WINDOWS\pss
2007-09-21 19:10   <DIR>   d--------   C:\Program Files\CCleaner
2007-09-21 18:41   <DIR>   d--------   C:\DOCUME~1\STARRS~1\APPLIC~1\MSN6
2007-09-21 18:19   87,616   --a------   C:\WINDOWS\system32\wamnhcng.dll
2007-09-20 03:16   <DIR>   d--------   C:\Program Files\MSXML 6.0
2007-09-20 03:05   <DIR>   d--------   C:\Program Files\MSXML 4.0
2007-09-19 23:32   <DIR>   d--------   C:\Program Files\Enigma Software Group
2007-09-19 23:08   <DIR>   d--------   C:\VundoFix Backups
2007-09-18 03:49   <DIR>   d--------   C:\Program Files\RogueRemover FREE
2007-09-17 01:19   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-09-17 01:14   89,088   --a------   C:\WINDOWS\system32\atl71.dll
2007-09-17 01:08   44,054   --a------   C:\WINDOWS\system32\byxxutr.dll.vir
2007-09-17 01:08   <DIR>   d--------   C:\Temp
2007-09-15 21:07   107,888   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-09-15 21:07   <DIR>   dr-h-----   C:\DOCUME~1\STARRS~1\APPLIC~1\SecuROM
2007-09-02 23:03   2,146   --a------   C:\WINDOWS\mozver.dat
2007-09-01 02:08   <DIR>   d--------   C:\DOCUME~1\STARRS~1\APPLIC~1\Google
2007-08-31 18:31   <DIR>   d--------   C:\WINDOWS\system32\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 19:48   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-16 21:13   ---------   d--------   C:\Program Files\DivX
2007-09-08 22:42   ---------   d--------   C:\DOCUME~1\STARRS~1\APPLIC~1\uTorrent
2007-09-01 02:07   ---------   d--------   C:\DOCUME~1\STARRS~1\APPLIC~1\Yahoo!
2007-09-01 02:04   ---------   d--------   C:\Program Files\Yahoo!
2007-09-01 02:04   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-31 18:39   ---------   d--------   C:\Program Files\Zune
2007-08-31 18:39   ---------   d--------   C:\Program Files\PopUp Killer
2007-08-31 18:39   ---------   d--------   C:\Program Files\NavNT
2003-11-15 20:33:00   8   --sh--r   C:\WINDOWS\system32\C5DE55205B.sys
2003-11-15 20:33:00   1,682   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-08-31 18:36]
"windows auto update"="" []
"vptray"="C:\Program Files\NavNT\vptray.exe" [2007-08-31 18:36]
"PopUpKiller"="C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE" [2001-08-27 15:54]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 10:29]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-31 18:36]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-08-31 18:36]
"QuickTime Task"="E:\Program Files\QuickTime\bak\qttask.exe" [2007-04-27 09:41]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-08-31 18:36]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2007-08-31 18:36]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2007-08-31 18:36]
"Yahoo! Pager"="E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-27 16:19]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 22:58]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
ClientManager3.lnk - C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe [2007-01-24 19:32:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-08-30 23:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 01:56:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 1:58:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-24 01:58
.
   --- E O F ---

CBMatt · « **Reply #20 on:** September 24, 2007, 09:01:47 PM »

Looks like ComboFix found quite a few Vundo files. Now, go ahead and post a new HijackThis log and let me know how your computer is running.

queenbunnywitch · « **Reply #21 on:** September 25, 2007, 02:01:42 AM »

i think its actually gone now, i havent had any pop ups. When i was infected my antivirus would remind me every 30 seconds and it has stopped. Also when i was infected i noticed in IE, in internet options and add-ons currently running there was an application for mmllm.exe and thats gone now so...im guessing im all clean

heres my log just in case

Logfile of HijackThis v1.99.1
Scan saved at 3:00:03 AM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
E:\PROGRA~2\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

thank you so much for helping me out.

oddjob · « **Reply #22 on:** September 25, 2007, 03:13:13 AM »

CBMatt quick visit ... when you look at this one you'll probably see you have a few "(no name)....(no file)" entries to fix and those 015's are still there.

Viewpoint ... your choice. If it were me I'd get rid of it.

However this ...

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab is Netster related & must go.

This one ...

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab "popcaploader" can slow the machine down. Should go.

All the best.

OJ

CBMatt · « **Reply #23 on:** September 25, 2007, 12:59:14 PM »

Thanks for the always-welcome input, oddjob. I'm handling logs a bit differently for the time being. Because I've become so busy, I'm trying to address the main issues and clean up the logs a little bit before getting rid of the other stuff. In this case, I wanted to make sure Vundo was taken care of before worrying about the other entries. It keeps me from overloading myself. It also prevents me from wasting my time and giving a complete analysis of a log, only to have the person never respond.

Quote from: oddjob on September 25, 2007, 03:13:13 AM

Viewpoint ... your choice. If it were me I'd get rid of it.

Agreed. Viewpoint is just a waste of space and really isn't necessary. No point in keeping it.

queenbunnywitch,
Your log looks a lot better now. But as oddjob has already pointed out, there are still a few things to take care of. And there are also a few files that ComboFix didn't delete, but we will hopefully be able to take care of them manually. Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/239ebff5dd55e2868019/netzip/RdxIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

Viewpoint

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\Viewpoint

Navigate to and delete the following file(s) if present...

C:\WINDOWS\system32\byxxutr.dll.vir
C:\WINDOWS\system32\kmclfijb.dll
C:\WINDOWS\system32\pgrahpun.dll
C:\WINDOWS\system32\wamnhcng.dll
C:\WINDOWS\system32\yaabdhcs.dll

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.

If you can't delete those files, try using KillBox. If that doesn't work, then let me know; there's another method we can use to get rid of them.

queenbunnywitch · « **Reply #24 on:** September 25, 2007, 05:05:03 PM »

so far no pop ups and nothing else suspicious going on. my antivirus just hangs out without bothering me every 30 seconds. i did run a complete virus scan and it came back with 30 items and quarantined them all.

i did everything you said. all the files deleted except for byxxutr.dll.vir but it was quarantined so i deleted it and everything else that was quarantined.

i noticed that when i was still having problems, safe mode really wouldnt let me do anything, the box reminding me im in safe mode would pop up often and then disappear with the desktop, and any windows i had opened. i had to keep bringing up the task manager and selecting run and running C:\WINDOWS\ to get an error that would pull the desktop back up. now that things are working the way they used that didnt happen once when i ran it in safe mode a few minutes ago.

so heres my log.

Logfile of HijackThis v1.99.1
Scan saved at 5:58:36 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client

Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\PopUp

Killer\bak\PopUpKiller.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program

Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search

Protection\SearchProtection.exe
C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolba

rNotifier.exe
C:\Program Files\BUFFALO\Client

Manager3\cm3_tray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\MsgSys.EXE
E:\PROGRA~2\Yahoo!\MESSEN~1\ymsgr_tray.e

xe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NavNT\bak\vptray.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/

msgr8/*http://www.yahoo.com/ext/search/search

.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/

msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

- C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

- C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164\

swg.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program

Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program

Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility]

Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px]

C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskba

rInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program

Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"E:\Program Files\QuickTime\bak\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program

Files\Samsung\Samsung Media Studio

5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program

Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection]

"C:\Program Files\Yahoo!\Search

Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe]

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager]

"E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1

.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection]

C:\Program Files\Yahoo!\Search

Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolba

rNotifier.exe
O4 - Global Startup: ClientManager3.lnk =

C:\Program Files\BUFFALO\Client

Manager3\cm3_tray.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF:

{00B71CFB-6864-4346-A978-C0A14556272C}

(Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr

.cab
O16 - DPF:

{01FE8D0A-51AD-459B-B62B-85E135128B32}

(DD_v4.DDv4) -

http://www.drivershq.com/DD_v4.CAB
O16 - DPF:

{2917297F-F02B-4B9D-81DF-494B6333150B}

(Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSwe

eper.cab
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF:

{4F1E5B1A-2A80-42CA-8532-2D05CB959537}

(MSN Photo Upload Tool) -

http://by122fd.bay122.hotmail.msn.com/resource

s/MsnPUpld.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/microsoftupdat

e/v6/V5Controls/en/x86/client/wuweb_site.cab?11

90263651562
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdat

e/v6/V5Controls/en/x86/client/muweb_site.cab?1

190263605609
O16 - DPF:

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messeng

erStatsClient.cab
O16 - DPF:

{A90A5822-F108-45AD-8482-9BC8B12DD539}

(Crucial cpcScan) -

http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://cdn2.zone.msn.com/binFramework/v10/ZInt

ro.cab34246.cab
O18 - Protocol: livecall -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown

owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. -

C:\Program Files\BUFFALO\Client

Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec

Corporation - C:\Program

Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) -

Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation

- C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton

AntiVirus Server) - Symantec Corporation -

C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation

- C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) -

Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe

queenbunnywitch · « **Reply #25 on:** September 28, 2007, 05:41:51 AM »

so....?

oddjob · « **Reply #26 on:** September 28, 2007, 07:37:22 AM »

Your latest log is difficult to read as the "Wordwrap" function on your Notepad program has been changed.

If you look at your previous logs they were laid out differently.

Please UNcheck Word Wrap in Notepad (Click on Format > UNcheck Word Wrap) then rescan & repost a new log.

Bear with us. We're not online all the time. Someone will get back to you as soon as possible.

OJ

CBMatt · « **Reply #27 on:** September 28, 2007, 09:31:46 AM »

oddjob is right; your log is very difficult to read, which makes it difficult to clearly see if you're clean or not. I can see that you still have this entry, though...

O15 - Trusted Zone: *.whataboutarabit.com

Check that entry and remove it (just like you removed the other entries), and then please repost your log.

queenbunnywitch · « **Reply #28 on:** September 28, 2007, 10:05:50 PM »

ok sorry for getting impatient i thought responses were gonna go dead or something. heres the log again

Logfile of HijackThis v1.99.1
Scan saved at 11:04:09 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRA~2\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

that whataboutarabit thing isnt there right now but every time i restart my computer it comes back.

CBMatt · « **Reply #29 on:** September 29, 2007, 09:37:22 AM »

No need to apologize. Your concerns are understandable. We just get a little busy with things from time to time. Let's go ahead and try something that oddjob has suggested to me via PM...

Download FindAWF here and double-click on it.

When prompted, press any key to continue.
You will be presented with a menu. On your keyboard, press 1 and then Enter.
The scan will take several minutes. When it has completed, a Notepad file will open with your results. Paste the contents here in a new post.

Also...

Open HijackThis and click on Open the Misc Tools section.
Click on Open Uninstall Manager and then on Save list.
Save it to your desktop and then paste the contents of the file in your next post.

queenbunnywitch · « **Reply #30 on:** September 29, 2007, 10:13:37 AM »

okay heres the log from that FindAWF program. ill post the hijackthis in a sec.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 09/29/2007
The current time is: 11:06:15.51

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 07:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK

09/28/2007 11:00 PM 0 banned.ini
09/28/2007 11:00 PM 0 expopups.ini
08/27/2001 03:54 PM 95,232 PopUpKiller.EXE
09/28/2007 07:33 AM 0 popups.ini
4 File(s) 95,232 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 05:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2002 10:29 AM 40,960 ezSP_Px.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/05/2003 12:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\MARKANY\CONTEN~1\BAK

01/30/2007 08:36 PM 57,344 MAAgent.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\SAMSUNG\SAMSUN~1\BAK

02/23/2007 04:32 PM 126,976 SMSTray.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

05/08/2006 05:17 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/09/2007 04:14 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of E:\PROGRA~2\YAHOO!\MESSEN~1\BAK

06/07/2007 02:08 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 31 2007 "C:\Program Files\NavNT\vptray.exe"
73728 Sep 24 2001 "C:\Program Files\NavNT\bak\vptray.exe"
73728 Sep 24 2001 "E:\Program Files\NavNT\vptray.exe"
441 Aug 31 2007 "C:\Program Files\PopUp Killer\banned.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\banned.ini"
441 Mar 3 2007 "E:\Program Files\PopUp Killer\banned.ini"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\expopups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\expopups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\expopups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\popups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\popups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\popups.ini"
24080 Aug 31 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
40960 Aug 20 2002 "E:\WINDOWS\system32\ezSP_Px.exe"
24080 Aug 31 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jun 5 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
335872 Jun 5 2003 "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
24080 Aug 31 2007 "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
57344 Jan 30 2007 "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe"
24080 Aug 31 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
126976 Feb 23 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe"
24080 Aug 31 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 May 8 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
24080 Aug 31 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Mar 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Jun 5 2006 "E:\Program Files\Common Files\Real\Update_OB\realsched.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
4670704 Aug 27 2007 "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 7 2007 "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"

end of report

queenbunnywitch · « **Reply #31 on:** September 29, 2007, 10:18:13 AM »

okay and heres the HJT thing.

µTorrent
Ad-aware 6 Personal
Adobe Flash Player ActiveX
Adobe Reader 6.0
AIM 6
Apple Software Update
ATI Control Panel
ATI Display Driver
BUFFALO Client Manager 3
CCleaner (remove only)
CDBurnerXP Pro
CEP - Color Enable Package
Cucusoft DVD to iPod/PSP + iPod/PSP Video Converter Suite 2.8.3
Cucusoft DVD to Zune + Zune Video Converter Suite 5.16.5.3
Data Lifeguard Tools
DataCastComponent
DivX Content Uploader
DivX Web Player
EVEREST Home Edition v2.20
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Java 2 Runtime Environment, SE v1.4.1_03
Java Web Start
Java(TM) 6 Update 2
Kazaa Media Desktop 2.5.1
Lame ACM MP3 Codec
LiveUpdate 1.6 (Symantec Corporation)
Logitech MouseWare 9.79
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.7)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Norton AntiVirus Corporate Edition
NVIDIA Drivers
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
PDF Manual NW-E000 Series
QuickTime
Q-Xpress Installer 1.1.9
RealPlayer
Samsung Media Studio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Shockwave
Sims2Pack Clean Installer
Sony PSP Media Manager 1.0a
Spybot - Search & Destroy 1.4
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 Seasons
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Veoh Player
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Search Protection
Zune

(and on a slightly off topic note, when those viruses were giving me problems my Sims 2 ran horribly! now it runs as smooth as it did before. so thanks so much for helping me cuz...man...id go crazy without my sims.)

CBMatt · « **Reply #32 on:** September 30, 2007, 10:17:09 AM »

I'm glad things are running a bit better for you now. But there's still just a bit more cleanup we need to do. First, you should remove the following...

Java 2 Runtime Environment, SE v1.4.1_03

You have a newer version of Java, so this one isn't necessary. All it's doing is taking up space. Now, go ahead and open up FindAWF.
When presented with the different options, choose #2.
A text file will open up. Copy/paste the following bold text into that file...

C:\Program Files\NavNT\bak\vptray.exe
C:\Program Files\PopUp Killer\bak\banned.ini
C:\Program Files\PopUp Killer\bak\expopups.ini
C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
C:\Program Files\PopUp Killer\bak\popups.ini
C:\Program Files\Zune\bak\ZuneLauncher.exe
C:\WINDOWS\system32\bak\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe
C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe
C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
E:\Program Files\QuickTime\bak\qttask.exe
E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in Notepad. Please post the results of the awf.txt here along with a new HijackThis log.

queenbunnywitch · « **Reply #33 on:** October 01, 2007, 10:39:03 PM »

okay stupid question but how do i delete that version of java?

oddjob · « **Reply #34 on:** October 02, 2007, 04:02:31 AM »

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java that you find. Version 6, update 2, is the only one you should keep at the moment.

OJ

queenbunnywitch · « **Reply #35 on:** October 03, 2007, 01:00:42 AM »

thanks oddjob

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/03/2007
The current time is: 1:54:08.62

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 07:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK

10/02/2007 04:21 PM 0 banned.ini
10/02/2007 04:21 PM 0 expopups.ini
10/02/2007 03:07 PM 28,176 PopUpKiller.EXE
09/28/2007 07:33 AM 0 popups.ini
4 File(s) 28,176 bytes

Directory of C:\PROGRA~1\ZUNE\BAK

03/14/2007 05:03 PM 24,104 ZuneLauncher.exe
1 File(s) 24,104 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2002 10:29 AM 40,960 ezSP_Px.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/05/2003 12:35 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

09/04/2007 10:58 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\MARKANY\CONTEN~1\BAK

01/30/2007 08:36 PM 57,344 MAAgent.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\POPUPK~1\BAK\BAK

08/27/2001 03:54 PM 95,232 PopUpKiller.EXE
1 File(s) 95,232 bytes

Directory of C:\PROGRA~1\SAMSUNG\SAMSUN~1\BAK

02/23/2007 04:32 PM 126,976 SMSTray.exe
1 File(s) 126,976 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

05/08/2006 05:17 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/09/2007 04:14 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK

10/02/2007 03:07 PM 28,176 qttask.exe
1 File(s) 28,176 bytes

Directory of E:\PROGRA~2\QUICKT~1\BAK\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of E:\PROGRA~2\YAHOO!\MESSEN~1\BAK

06/07/2007 02:08 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28176 Oct 2 2007 "C:\Program Files\NavNT\vptray.exe"
73728 Sep 24 2001 "C:\Program Files\NavNT\bak\vptray.exe"
73728 Sep 24 2001 "E:\Program Files\NavNT\vptray.exe"
441 Aug 31 2007 "C:\Program Files\PopUp Killer\banned.ini"
0 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\banned.ini"
441 Mar 3 2007 "E:\Program Files\PopUp Killer\banned.ini"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\expopups.ini"
0 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\expopups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\expopups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
0 Aug 31 2007 "C:\Program Files\PopUp Killer\popups.ini"
0 Sep 28 2007 "C:\Program Files\PopUp Killer\bak\popups.ini"
0 Mar 3 2007 "E:\Program Files\PopUp Killer\popups.ini"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
28176 Oct 2 2007 "C:\Program Files\Zune\ZuneLauncher.exe"
24104 Mar 14 2007 "C:\Program Files\Zune\bak\ZuneLauncher.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\ezSP_Px.exe"
40960 Aug 20 2002 "C:\WINDOWS\system32\bak\ezSP_Px.exe"
40960 Aug 20 2002 "E:\WINDOWS\system32\ezSP_Px.exe"
28176 Oct 2 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Jun 5 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
335872 Jun 5 2003 "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
52272 Apr 7 2007 "C:\Program Files\Google\googletoolbar1user.exe"
4562944 Apr 28 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
28176 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
1145896 Mar 9 2007 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Apr 7 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Sep 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
4856576 Jun 21 2006 "E:\Documents and Settings\starrs crap\My Documents\GoogleVideoPlayerSetup_2006_04_28-14-09_pcg.exe"
4562944 Apr 28 2006 "E:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
559784 Jun 5 2006 "E:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
28176 Oct 2 2007 "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
57344 Jan 30 2007 "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe"
24080 Aug 31 2007 "C:\Program Files\PopUp Killer\PopUpKiller.EXE"
28176 Oct 2 2007 "C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "C:\Program Files\PopUp Killer\bak\bak\PopUpKiller.EXE"
95232 Aug 27 2001 "E:\Program Files\PopUp Killer\PopUpKiller.exe"
28176 Oct 2 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
126976 Feb 23 2007 "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe"
28176 Oct 2 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 May 8 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
28176 Oct 2 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Mar 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Jun 5 2006 "E:\Program Files\Common Files\Real\Update_OB\realsched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
24080 Aug 31 2007 "E:\Program Files\QuickTime\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\QuickTime\bak\qttask.exe"
282624 Apr 27 2007 "E:\Program Files\QuickTime\bak\bak\qttask.exe"
28176 Oct 2 2007 "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670968 Jun 7 2007 "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"

end of report

queenbunnywitch · « **Reply #36 on:** October 03, 2007, 01:02:20 AM »

and the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:01:24 AM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\analyse\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://firstdatajobs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\bak\PopUpKiller.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190263651562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190263605609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

CBMatt · « **Reply #37 on:** October 05, 2007, 10:11:32 AM »

Hi, queen, sorry for the delay. As I'm sure you've noticed, things can get a little busy over here. Please download SUPERAntiSpyware (you'll need this later). The fix appears to have not worked, so I would like you to reboot into Safe Mode and try my FindAWF instructions again (copying the filepaths into the Notepad file). Once again, a logfile will open.

Because we get busy at times, I'm going to try giving you a Plan B in case the above doesn't work. When you are given the logfile, check the Duplicate files of bak directory contents section at the bottom. If it still lists all of those files, then try the following...

Open up Notepad (do this part before going into Safe Mode) and copy/paste everything in the below quote box...

Quote

@echo off
for %%g in (
"C:\Program Files\NavNT\vptray.exe"
"C:\Program Files\PopUp Killer\banned.ini"
"C:\Program Files\PopUp Killer\expopups.ini"
"C:\Program Files\PopUp Killer\PopUpKiller.exe"
"C:\Program Files\PopUp Killer\popups.ini"
"C:\Program Files\Zune\ZuneLauncher.exe"
"C:\WINDOWS\system32\ezSP_Px.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
"C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
"C:\Program Files\Sony\SonicStage\SsAAD.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"E:\Program Files\QuickTime\qttask.exe"
"E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
) do (
if exist %%g attrib -s -h -r %%g
del /s/f/q %%g
)>nul 2>&1

copy /y "C:\Program Files\NavNT\bak\vptray.exe" "C:\Program Files\NavNT\vptray.exe"
copy /y "C:\Program Files\PopUp Killer\bak\banned.ini" "C:\Program Files\PopUp Killer\banned.ini"
copy /y "C:\Program Files\PopUp Killer\bak\expopups.ini" "C:\Program Files\PopUp Killer\expopups.ini"
copy /y "C:\Program Files\PopUp Killer\bak\PopUpKiller.exe" "C:\Program Files\PopUp Killer\PopUpKiller.exe"
copy /y "C:\Program Files\PopUp Killer\bak\popups.ini" "C:\Program Files\PopUp Killer\popups.ini"
copy /y "C:\Program Files\Zune\bak\ZuneLauncher.exe" "C:\Program Files\Zune\ZuneLauncher.exe"
copy /y "C:\WINDOWS\system32\bak\ezSP_Px.exe" "C:\WINDOWS\system32\ezSP_Px.exe"
copy /y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
copy /y "C:\Program Files\MarkAny\ContentSafer\bak\MAAgent.exe" "C:\Program Files\MarkAny\ContentSafer\MAAgent.exe"
copy /y "C:\Program Files\Samsung\Samsung Media Studio 5\bak\SMSTray.exe" "C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe"
copy /y "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe" "C:\Program Files\Sony\SonicStage\SsAAD.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "E:\Program Files\QuickTime\bak\qttask.exe" "E:\Program Files\QuickTime\qttask.exe"
copy /y "E:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe" "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"

exit

Go to File > Save As and next to Save as type, choose All Files and save the file as restoreawf.bat. Run the file in Safe Mode and then scan with SUPERAntiSpyware and let it clean whatever it wants. Run FindAWF one more time and save the log, then restart your computer and post the results here along with a new HijackThis log.

queenbunnywitch · « **Reply #38 on:** October 06, 2007, 09:05:50 PM »

thats okay, youre still helping me so thats all i need!

okay now..before i do this let me make sure i get it first, i dont wanna mess anything up. okay. so i download SUPERAntiSpyware. then i just follow your first FindAWF instructions and if it doesnt work then i go to plan B. SO i run AWF again and check Duplicate files of back directory contents and check if those files are still there..then open notepad in regular mode and save that list you quoted in a notepad file and "save as" restoreawf.bat. Then run WFA in safe mode and then scan with SUPERAntiSpyware. Run AWF again and post the log after i restart?

CBMatt · « **Reply #39 on:** October 08, 2007, 01:47:17 AM »

Yup, sounds like you've got the right idea to me!

CBMatt · « **Reply #40 on:** November 06, 2007, 05:45:01 AM »

Due to lack of feedback, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Computer Hope Forum

News:

Author Topic: Virus issues, Downloader, Trojan.Vundo, Trojan Horse (Read 31899 times)

queenbunnywitch

unlovedwarrior

queenbunnywitch

unlovedwarrior

queenbunnywitch

unlovedwarrior

queenbunnywitch

unlovedwarrior

queenbunnywitch

unlovedwarrior

queenbunnywitch

unlovedwarrior

queenbunnywitch

queenbunnywitch

CBMatt

queenbunnywitch

CBMatt

queenbunnywitch

queenbunnywitch

queenbunnywitch

CBMatt

queenbunnywitch

oddjob

CBMatt

queenbunnywitch

queenbunnywitch

oddjob

CBMatt

queenbunnywitch

CBMatt

queenbunnywitch

queenbunnywitch

CBMatt

queenbunnywitch

oddjob

queenbunnywitch

queenbunnywitch

CBMatt

queenbunnywitch

CBMatt

CBMatt