Hey folks,

My dad has some crud on the computer. He's getting upwards of 40 instances of WinAntiSpywarePro2007 requesting to d/l (he uses Netscape 7.2) and then every once in a while the browser "randomly" goes to "http://moviedownloadpro.com/index.asp?revid=stany1338&glid=&ovid="

Also, AVGFree gives me warnings every once in a while, but I think I've killed that problem (trojans).

How can I clean this off? I gather the Vundo is a tough infection to get rid of, so I need help. Here's what I've done, then I'll post the logs.

1. I updated AVG Free to the latest release and definitions. It was up to date as it was, but I checked. there were 2 files, and they were both deleted. Now scans clean.

2. Updated and ran SD. Found 41 problems. Fixed them, save for some .dlls which required reboot. Rebooted and ran on reboot.

3. Updated and ran Ad-aware. Found a host of problems. Fixed, ran on reboot.

4-6. Repeated process 3 more times until no more "red" items, the last time in "safe mode."

7. Still had difficulties, so read up on WinAnti.... and got Vundo remover program from the forums. That took out about 8-10 dlls that were problematic.

8. Left the computer overnight to see what, if anything I fixed.

9. Came in this morning to multiple instances of the download request and Netscape running on moviedownloadpro (I closed netscape last night for sure.)

I know he's got a lot of programs running, but he needs the messanging stuff for work and uses a bunch of hokey little programs that he's had for a while and is comfortable with.

Thanks for all your help!!! (I hope I did this right, I DID read the "BEFORE you POST" thread, but if I screwed it up, let me know.)

Daniel

Here are the logs:
*************************
First: Online virus scan from CA
*************************
Virus scan finished. 5 viruses found.
Scan Results: 149770 files scanned. 5 viruses were detected.

File Infection Status Path
lo1[1] Win32/Vundo!generic infected C:\Documents and Settings\E. Daniel Bors Jr\Local

Settings\Temporary Internet Files\Content.IE5\8LHIJI6I\
mljjk.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
pmnll.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
ssqomlk.dll.bad Win32/Chisyne!generic infected C:\VundoFix Backups\
wvusqqq.dll.bad Win32/Chisyne!generic infected C:\VundoFix Backups\

*************************
*************************
Hijackthis Log:
*************************
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:05:33 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\PNP4\Master\PNP4Mast.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\svhost.exe
C:\Program Files\CD Eject Tool\CD Eject Tool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\PNP4\pnplus4.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\PTFB\PTFB.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\shortkey\SHORTKEY.EXE
C:\Program Files\shortkey\thehint.exe
C:\Program Files\Netscape\Netscape72\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\ssqomlk.dll (file missing)
O2 - BHO: (no name) - {367D7556-7700-4AED-B8BA-FCD7B3013497} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {87F3C172-9F11-4EAA-B714-F72A20859B37} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wnokrhvu.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ifhhtotm.dll",realset
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKCU\..\Run: [CD Eject Tool] C:\Program Files\CD Eject Tool\CD Eject Tool.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: CD Eject Tool.lnk = C:\Program Files\CD Eject Tool\CD Eject Tool.exe
O4 - Startup: Pink Notes Plus v4.lnk = C:\Program Files\PNP4\pnplus4.exe
O4 - Startup: SHORTKEY.EXE.lnk = C:\Program Files\shortkey\SHORTKEY.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Pink Notes Plus v4.lnk = C:\Program Files\PNP4\pnplus4.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: PTFB.exe.lnk = C:\Program Files\PTFB\PTFB.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SHORTKEY.EXE.lnk = C:\Program Files\shortkey\SHORTKEY.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Monarch - {82E110A9-B83C-441F-9D69-E61E782C06E1} - http://www.monarchcomputer.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.monarchcomputer.com/search/main.php
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128569433578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143676147058
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98FCCAA4-AAF8-437D-A760-4C386CD53AA9}: NameServer = 68.4.16.30,68.6.16.30
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pink Notes Plus Master (pnp4mast) - Alpha Media Inc.® - E:\Program Files\PNP4\Master\PNP4Mast.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

--
End of file - 10281 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Here is some information about this Vundo junk for you:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
It appears we have more to remove, but that is not the major issue, this one is:

C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
http://www.google.com/search?hl=en&q=svhost.exe&btnG=Search
As you can see a lot of hackers call their junk the same thing, you can scan to see what it is here:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Out of concern for your security I need to provide you with this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks

ok.. holy crud.

I tried Kapurnsky - no infection.

next I tried http://virusscan.jotti.org/
***************************
File: svhost.exe
Status: INFECTED/MALWARE
MD5 62f2e338f1abe5044abdf4823fe40579
Packers detected: PE_PATCH.UPX

Scan taken on 11 Jun 2007 17:31:17 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.ULPM.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Generic.Malware.SB.255574B0 (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
************************
the last site I'm still queued on.

Formatting is not an option right now. The file has only been on the computer since the 5th (if you trust the datestamp on it) and no online banking, etc has occured since then. This roughly co-insides with the genesis of the other problems as well. It is about 15kb in size, but is using about 18MB of system memory (I killed the process immediately.)

So: How do I clean it off? Can I just delete it? AVG didn't see it as a problem, so I guess I need to d/l one of the other programs?

And I had 130 windows of the winantispyware download over the weekend!

Thanks - now I'm scared! (And I should be!)

Daniel

Virustotal got back to me. the results were:
*************************
AhnLab-V3 2007.6.12.0 06.11.2007 no virus found
AntiVir 7.4.0.32 06.11.2007 TR/Crypt.ULPM.Gen
Authentium 4.93.8 06.11.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.10.2007 no virus found
BitDefender 7.2 06.11.2007 Generic.Malware.SB.255574B0
CAT-QuickHeal 9.00 06.11.2007 no virus found
ClamAV devel-20070416 06.11.2007 no virus found
DrWeb 4.33 06.11.2007 no virus found
eSafe 7.0.15.0 06.11.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3710 06.11.2007 no virus found
Ewido 4.0 06.11.2007 no virus found
FileAdvisor 1 06.11.2007 no virus found
Fortinet 2.85.0.0 06.11.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.11.2007 no virus found
Ikarus T3.1.1.8 06.11.2007 no virus found
Kaspersky 4.0.2.24 06.11.2007 no virus found
McAfee 5050 06.11.2007 no virus found
Microsoft 1.2503 06.11.2007 no virus found
NOD32v2 2323 06.11.2007 probably unknown NewHeur_PE virus
Norman 5.80.02 06.11.2007 no virus found
Panda 9.0.0.4 06.11.2007 Suspicious file

Aditional Information
File size: 14848 bytes
MD5: 62f2e338f1abe5044abdf4823fe40579
SHA1: 8df151cd17994bc8a5e459b4b812704466e968d3
packers: UPX
packers: UPX

I understand you to say you wish to clean the computer as best as you can. I would appreciate it if you would read the directions again to be sure, and then do your best to follow them. Post only what I request.

Before we start I must be sure you are not running two antivirus programs at the same time. This is what I am seeing:
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Symantec\ and
C:\PROGRA~1\Grisoft\AVG7\ if this is two antivirus programs running, see this information:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp


1) Delete Vundofix and C:\VundoFix Backups\ from your computer. If we need the tool again, we would want to download it fresh.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to andymanchesta and anyone else who helped with the fix.

4) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

(hold the report and HJT log until we finish, some items I post below may be gone, removed by SDFix, do not be concerned, just work through the instructions and then post the information I request)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\ssqomlk.dll (file missing)
O2 - BHO: (no name) - {367D7556-7700-4AED-B8BA-FCD7B3013497} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {87F3C172-9F11-4EAA-B714-F72A20859B37} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\wnokrhvu.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ifhhtotm.dll",realset

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\svhost.exe <<< delete that file (should be gone?)

C:\WINDOWS\system32\ifhhtotm.dll <<< delete that file

(if either file gives you problems, use this tool and instructions)
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

7) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the SDFix report, the scan results from AVG Anti-Spyware and a new HJT log.

Thanks

This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.