I'm not exactly sure what I might have; though it might be 'Smitfraud' it also presides with 'Yazzlesudoku'. I've seen alot of topics with the same problem alot lately, but they all end differently so to speak.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:44 AM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{641BF561-0726-1033-0804-040404050001}\Update.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\HJJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C319C98-1CB8-D254-322E-01A8B4B2E421} - C:\WINDOWS\system32\aixdcsj.dll
O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - E:\PROGRA~1\KEYBOA~1\kie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6AED46B4-7C47-4CBD-BB01-0625178A4C74} - C:\WINDOWS\system32\ruudxck.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\ljjjiig.dll
O2 - BHO: (no name) - {E647FDE1-C5BF-4C9A-8C99-DFD17595F064} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fwcjfhtg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fjtshmg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fjtshmg.dll,qldqfqc
O4 - HKCU\..\Run: [Ceah] "C:\WINDOWS\system32\WNSXS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Wmayuuo] C:\WINDOWS\?ecurity\t?skmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ljjjiig - C:\WINDOWS\SYSTEM32\ljjjiig.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

hi Grasp,

please download and run:

VundoFix by Atri
Please download VundoFix.exe to your desktop.

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

shelf life

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 6:47:03 PM 11/15/2006

Listing files found while scanning....

C:\WINDOWS\system32\fjtshmg.dll
C:\WINDOWS\system32\winwim32.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fjtshmg.dll
C:\WINDOWS\system32\fjtshmg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winwim32.dll
C:\WINDOWS\system32\winwim32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 7:02:42 PM 11/15/2006

Listing files found while scanning....

C:\WINDOWS\system32\winwim32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winwim32.dll
C:\WINDOWS\system32\winwim32.dll Has been deleted!

Performing Repairs to the registry.
Done

-------------------------------------------------------------------------

HJT

Logfile of HijackThis v1.99.1
Scan saved at 7:53:01 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Common Files\{641BF561-0726-1033-0804-040404050001}\Update.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\WNSXS~1\wuauboot.exe
C:\WINDOWS\?ecurity\t?skmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\HJJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {10B50D61-9FD4-B427-D78F-C16942DA86C1} - C:\WINDOWS\system32\xui.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06D161E7-3A03-45F6-9938-7C689C603384} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - {0C319C98-1CB8-D254-322E-01A8B4B2E421} - C:\WINDOWS\system32\aixdcsj.dll
O2 - BHO: (no name) - {10B50D61-9FD4-B427-D78F-C16942DA86C1} - C:\WINDOWS\system32\xui.dll
O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - E:\PROGRA~1\KEYBOA~1\kie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6AED46B4-7C47-4CBD-BB01-0625178A4C74} - C:\WINDOWS\system32\ruudxck.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{341BF561-0726-1033-0804-040404050001}\888.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\ljjjiig.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fwcjfhtg.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{341BF561-0726-1033-0804-040404050001}\888.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fjtshmg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\fjtshmg.dll,qldqfqc
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnap.dll,startup
O4 - HKCU\..\Run: [Ceah] "C:\WINDOWS\system32\WNSXS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Wmayuuo] C:\WINDOWS\?ecurity\t?skmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ljjjiig - C:\WINDOWS\SYSTEM32\ljjjiig.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

hi Grasp,

first we will use hjt, then run vundo again:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R3 - URLSearchHook: (no name) - {10B50D61-9FD4-B427-D78F-C16942DA86C1} - C:\WINDOWS\system32\xui.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {06D161E7-3A03-45F6-9938-7C689C603384} - C:\WINDOWS\system32\mlljj.dll

O2 - BHO: (no name) - {0C319C98-1CB8-D254-322E-01A8B4B2E421} - C:\WINDOWS\system32\aixdcsj.dll

O2 - BHO: (no name) - {10B50D61-9FD4-B427-D78F-C16942DA86C1} - C:\WINDOWS\system32\xui.dll

O2 - BHO: (no name) - {6AED46B4-7C47-4CBD-BB01-0625178A4C74} - C:\WINDOWS\system32\ruudxck.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{341BF561-0726-1033-0804-040404050001}\888.dll

O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\ljjjiig.dll

O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fwcjfhtg.dll

O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{341BF561-0726-1033-0804-040404050001}\888.dll

O4 - HKCU\..\Run: [Ceah] "C:\WINDOWS\system32\WNSXS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Wmayuuo] C:\WINDOWS\?ecurity\t?skmgr.exe
O20 - Winlogon Notify: ljjjiig - C:\WINDOWS\SYSTEM32\ljjjiig.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll

now run vundofix again
-----------------------------------------------------------------------------

first stop,:
Download the trial version of AVG Anti-Spyware 7.5 (formerly ewido anti-spyware 4.0) from here:
http://www.ewido.net/en/download/

* Install AVG Anti-Spyware
* The program will now go to the main screen.

You will need to update AVG Anti-Spyware to the latest definition files.

* On the left-hand side of the main screen click the Update Button.
* Click on Start.

The update will start and a progress bar will show the updates being installed.
After the updates are installed:

* Click on Scanner
* Click on Complete System Scan to start the scan process.
* Let the program scan the machine, it may take some time.
* AVG Anti-Spyware will list any infections found on the left hand side.
* When the scan has finished, it will automatically set the recommended action. Click "Apply all actions" AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
* Click OK.


When the scan finishes click on "Save Report", then "Save Report As". This will create a text file.
Save the report to your Desktop.
Close AVG Anti-Spyware
-------------------------------------------------------------------------------
please post a new hjt log, the avg log and the vundofix log.

shelf life

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.