I have scanned with spybot sd and it was unable to remove even after a restart. I also tried VundoFix and after a couple restarts appeared to have it, but it returned.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:59 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\xamyxtyy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\uydpehnf.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotDeletingA244] command /c del "C:\WINDOWS\system32\mlljk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1990] cmd /c del "C:\WINDOWS\system32\mlljk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [SpybotDeletingB79] command /c del "C:\WINDOWS\system32\mlljk.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8398] cmd /c del "C:\WINDOWS\system32\mlljk.dll_tobedeleted"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187054032046
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4091 bytes

and the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 29, 2007 12:19:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/08/2007
Kaspersky Anti-Virus database records: 398152
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 79211
Number of viruses found: 11
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 00:37:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\cert8.db Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\history.dat Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\key3.db Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Phil\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Mozilla\Firefox\Profiles\aycu8wxx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\History\History.IE5\MSHist012007082920070830\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\43IN67CD\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\814L6F2X\CAL1KW74 Infected: not-a-virus:AdWare.Win32.Virtumonde.mb skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\814L6F2X\WinAntiSpyware2007FreeInstall[1].cab/WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\814L6F2X\WinAntiSpyware2007FreeInstall[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\KVMX01OX\lkjh[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Phil\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Phil\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc2.exe/stream/data0051 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc2.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc2.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc4.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc4.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc4.exe WiseSFX: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1547161642-725345543-839522115-1004\Dc4.exe WiseSFX Dropper: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lt skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008281.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008285.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008286.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008287.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP143\A0008418.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mb skipped
C:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP147\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5EA10B09-17B0-4624-B577-E8682BF15C24}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\USS.evt Object is locked skipped
C:\WINDOWS\system32\fccdcby.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kokfmkvw.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xamyxtyy.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP147\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP147\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{6288B6A9-B3FF-4CE7-BD9C-A37AF7F7F6AB}\RP147\change.log Object is locked skipped

Scan process completed.

Can some one please help me get rid of it?

psnapp,

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to psnapp.exe

Post a new HJT log with it renamed please

Sorry about that. Here is the corrected log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:19 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\psnapp.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B2B6E6F-F7FA-4C9B-A599-C45BAD084964} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {75062DB0-ED0D-41F9-B556-693664BDEC35} - C:\WINDOWS\system32\ssqrr.dll (file missing)
O2 - BHO: (no name) - {758B5CBE-4B27-4624-B1D3-1FFE1929DB0F} - C:\WINDOWS\system32\jkhff.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187054032046
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 3543 bytes

Hello,

FYI . The thieves that have written the Vundo trojan have written it to evade a HJT scan and by renaming it to something else if your infected with Vundo it will show up in your log. You are infected with Vundo

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

I need to see the Combofix log, the Vundo log and a New HJT log please.

Combo fix log:

ComboFix 07-08-30.1 - "Phil" 2007-08-30 17:15:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.599 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-30 17:06 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-30 17:06 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-30 17:06 3,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-30 17:06 123,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-30 17:06 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-08-30 17:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2007-08-29 12:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 09:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-29 09:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-29 09:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 11:38 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-08-27 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-26 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-26 15:06 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-08-26 14:41 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-26 14:39 28,672 --a------ C:\WINDOWS\system32\PdeSrvps.dll
2007-08-26 14:39 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2007-08-26 14:39 <DIR> d-------- C:\Program Files\Creative
2007-08-23 09:14 <DIR> d-------- C:\Program Files\QuickTime
2007-08-23 09:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-23 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-23 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-22 18:30 86,016 -ra------ C:\WINDOWS\system32\CNMCP5y.exe
2007-08-22 18:30 7,680 --a------ C:\WINDOWS\system32\CNMVS5y.DLL
2007-08-22 18:30 116,736 --a------ C:\WINDOWS\system32\CNMLM5y.DLL
2007-08-22 18:30 <DIR> d--h----- C:\BJPrinter
2007-08-22 16:49 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-22 16:48 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-22 16:48 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-17 11:23 <DIR> d-------- C:\Program Files\Skype
2007-08-17 11:23 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-08-17 11:23 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Skype
2007-08-16 16:52 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-16 16:52 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-16 16:52 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-16 16:52 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-16 16:48 253,440 -ra------ C:\WINDOWS\system32\drivers\Mrv8000c.sys
2007-08-14 12:48 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-08-14 12:48 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-08-14 12:48 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-08-14 12:00 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-13 23:19 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-13 23:18 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-13 23:18 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-13 22:37 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-13 22:37 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-08-13 22:37 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-13 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-13 22:04 <DIR> d-------- C:\WINDOWS\provisioning
2007-08-13 22:04 <DIR> d-------- C:\WINDOWS\peernet
2007-08-13 22:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-08-13 22:01 <DIR> d-------- C:\WINDOWS\EHome
2007-08-13 21:32 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-08-13 21:32 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-08-13 19:39 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-13 19:39 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-08-13 19:39 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-13 19:39 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-08-13 19:33 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-13 19:29 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-08-13 19:28 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Ulead Systems
2007-08-13 19:15 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\DivX
2007-08-13 18:39 <DIR> d-------- C:\Program Files\NovaStor
2007-08-13 18:38 24,576 --a------ C:\WINDOWS\system32\UleadPhotoExplorer85_Res.dll
2007-08-13 18:38 24,576 --a------ C:\WINDOWS\system32\Ulead Photo Explorer 85.scr
2007-08-13 18:36 <DIR> d-------- C:\Program Files\Windows Media Components
2007-08-13 18:33 413,696 --a------ C:\WINDOWS\system32\msvcp60.dll
2007-08-13 18:32 <DIR> d-------- C:\Program Files\Ulead Systems
2007-08-13 18:32 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-08-13 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-08-13 18:26 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Pegasys Inc
2007-08-13 18:25 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-08-13 18:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-13 18:15 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-13 18:06 <DIR> d---s---- C:\DOCUME~1\Phil\UserData
2007-08-13 18:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-08-13 16:32 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\WinRAR
2007-08-13 15:53 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2007-08-13 15:53 <DIR> d-------- C:\WINDOWS\system32\C2MP
2007-08-13 15:06 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-08-13 15:06 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-08-13 15:06 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-13 15:06 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-08-13 15:01 <DIR> d-------- C:\Bittorrent
2007-08-13 14:59 <DIR> d-------- C:\Program Files\BitTorrent
2007-08-13 14:59 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\BitTorrent
2007-08-13 14:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-13 14:43 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-13 14:43 <DIR> d-------- C:\WINDOWS\nview
2007-08-13 14:40 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-08-13 14:40 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2007-08-13 14:40 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-08-13 14:27 135,168 -ra------ C:\WINDOWS\system32\igfxres.dll
2007-08-13 14:27 <DIR> d-------- C:\Intel
2007-08-13 14:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-13 14:19 <DIR> d-------- C:\Program Files\Intel
2007-08-13 14:17 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 14:17 <DIR> d-------- C:\Program Files\Realtek
2007-08-13 14:17 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-13 14:15 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 17:10 1196 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-30 17:10 1172 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-13 14:17 294912 --a------ C:\WINDOWS\HideWin.exe
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-28 12:51 206088 --a------ C:\WINDOWS\system32\klogon.dll
2007-06-28 12:50 22457 --a------ C:\WINDOWS\system32\drivers\klop.dat
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2002-08-29 05:00 287141 --------- C:\DOCUME~1\Phil\APPLIC~1\brisane.exe


((((((((((((((((((((((((((((( snapshot_2007-08-30_130110.92 )))))))))))))))))))))))))))))))))))))))))

----a-w 16,384 2007-08-31 00:11:32 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-08-31 00:11:32 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-08-31 00:11:32 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 110,360 2007-04-28 23:51:02 C:\WINDOWS\system32\drivers\kl1.sys
----a-w 186,640 2007-06-28 00:31:58 C:\WINDOWS\system32\drivers\klif.sys
----a-w 24,344 2007-04-04 21:58:26 C:\WINDOWS\system32\drivers\klim5.sys

----a-w 16,384 2007-08-14 05:22:11 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-08-14 05:22:11 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-08-14 05:22:11 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B2B6E6F-F7FA-4C9B-A599-C45BAD084964}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75062DB0-ED0D-41F9-B556-693664BDEC35}]
C:\WINDOWS\system32\ssqrr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{758B5CBE-4B27-4624-B1D3-1FFE1929DB0F}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-04-05 07:22]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-04-05 07:19]
"Persistence"="C:\WINDOWS\System32\igfxpers.exe" [2005-04-05 07:23]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 02:28 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-20 21:07]
"nwiz"="nwiz.exe" [2005-07-20 21:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-07-20 21:07]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe" [2004-06-28 20:12]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\Mrv8000c.sys

*Newly Created Service* - KL1

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F54BE479-AA88-A120-EFF1-FFB024A0AE00}]
C:\Documents and Settings\Phil\Application Data\brisane.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 17:17:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 17:19:04
C:\ComboFix-quarantined-files.txt ... 2007-08-30 17:19
C:\ComboFix2.txt ... 2007-08-30 13:01

--- E O F ---

rest to come in subsequent posts

VundoFix found no files
VundoFix.txt:

Beginning removal...



here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:46 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Phil\Application Data\brisane.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\psnapp.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B2B6E6F-F7FA-4C9B-A599-C45BAD084964} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {75062DB0-ED0D-41F9-B556-693664BDEC35} - C:\WINDOWS\system32\ssqrr.dll (file missing)
O2 - BHO: (no name) - {758B5CBE-4B27-4624-B1D3-1FFE1929DB0F} - C:\WINDOWS\system32\jkhff.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Update] C:\Documents and Settings\Phil\Application Data\brisane.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187054032046
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4163 bytes

Hello Again,

Lets do this.



REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B2B6E6F-F7FA-4C9B-A599-C45BAD084964}]
C:\WINDOWS\system32\jkkjk.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75062DB0-ED0D-41F9-B556-693664BDEC35}]
C:\WINDOWS\system32\ssqrr.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{758B5CBE-4B27-4624-B1D3-1FFE1929DB0F}]
C:\WINDOWS\system32\jkhff.dll


Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.


Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked. These should be gone.

O2 - BHO: (no name) - {5B2B6E6F-F7FA-4C9B-A599-C45BAD084964} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {75062DB0-ED0D-41F9-B556-693664BDEC35} - C:\WINDOWS\system32\ssqrr.dll (file missing)
O2 - BHO: (no name) - {758B5CBE-4B27-4624-B1D3-1FFE1929DB0F} - C:\WINDOWS\system32\jkhff.dll (file missing)

Post a new HJT log and let me know how your system is running now.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:17 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Phil\Application Data\brisane.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Trend Micro\HijackThis\psnapp.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Update] C:\Documents and Settings\Phil\Application Data\brisane.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187054032046
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 3957 bytes

Post a new HJT log and let me know how your system is running now. <--???

You had a ton of bad files and entries in your Temp files / Internet Temporary Files and in your System Restore Program. Lets clean them all out.

Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!


System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it

To make sure we got it all , lets run Super Anti Spyware.

Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

After you run SAS , run HJT and remove this one if its still present.

O4 - HKCU\..\Run: [Windows Update] C:\Documents and Settings\Phil\Application Data\brisane.exe

Then delete this file
C:\Documents and Settings\Phil\Application Data\brisane.exe

Now post a new log please

The SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2007 at 08:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3296
Trace Rules Database Version: 1305

Scan type : Complete Scan
Total Scan Time : 00:22:42

Memory items scanned : 334
Memory threats detected : 0
Registry items scanned : 3702
Registry threats detected : 0
File items scanned : 24096
File threats detected : 0


The new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:02 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\psnapp.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187054032046
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 3926 bytes

This is after deleting the brisane.exe file.

Log looks fine and SAS found nothing :bigthumb:

How are things running now??

Things are running great, I haven't had any slow downs or pop-ups. Thanks a lot for your help, I really appreciate it.

Thats great, glad we could help.:bigthumb:


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.



Safe Surfn
Ken