Free Malware Removal Forum

[Lif3BlooD]

alright so anyways, about a week ago i got a trojan horse virsus.
so i do a scan with avg and spybot to try and get ride of the problem.

all seems good, it got rid of them but they kept coming back. it even said it had no problems removing anything
so now, every couple days sometimes everyday i get a new virsus and my browser gets hijacked and i get popups

so lets get down to biz

heres the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:45 PM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Wfutoboxebodamu] rundll32.exe "D:\WINDOWS\Cnubiwanomohag.dll",e
O4 - HKLM\..\Run: [Bfuguhuqe] rundll32.exe "D:\WINDOWS\owohigusu.dll",e
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BandwidthMeterPro] D:\Program Files\BandwidthMeterPro\BWMeterPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [BandwidthMeterPro] D:\Program Files\BandwidthMeterPro\BWMeterPro.exe (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [VeohPlugin] "D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?')
O4 - HKUS\S-1-5-21-1757981266-287218729-839522115-1003\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F162B8-5C2F-4F87-8FA9-0DA3556E39BF}: NameServer = 68.87.72.130,68.87.78.130
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll ekicct.dll oowawf.dll znassm.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: IPSentry Service Manager (SRVIPSEN) - RGE, Inc. - D:\Program Files\RGE INC\IPSentryV5\srvipsen.exe

--
End of file - 7996 bytes


ill bookmark this and come back later, Thanks for helping !!

[Noviciate]

Run HJT and click on Open the Misc Tools section.

• Click Open Uninstall Manager...
• Click Save list... and save it to your Desktop.
• Copy and paste the file uninstall_list.txt into your next reply.

[Lif3BlooD]

Thanks for the reply, however when i go to save list it just closes the program.
I even tried reinstalling it,but to no avail.

[Noviciate]

You need to rename your copy of HijackThis.exe to seek.exe (or anything else you fancy.exe if you prefer as it doesn't matter) and then try again - this particular nasty sometimes interferes with the normal working of HJT and renaming is a simple way to get round it. Renaming the shortcut isn't effective, it must be the executable.
Let me know how you get on.

[Lif3BlooD]

It worked

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 6.0.1
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adrianne demo by NVIDIA (remove only)
Advertisement Service
AGEIA PhysX v7.09.13
Apple Software Update
ArtMoney SE v7.29
Atmosphere Lite v6.0
Audacity 1.2.6
AVG Free 8.0
Bandwidth Meter Pro 2.6 build 617
Belarc Advisor 7.2
Business Contact Manager for Outlook 2007
Business Contact Manager for Outlook 2007
Call of Duty(R) 4 - Modern Warfare(TM) Demo
Conquer 2.0
Counter-Strike: Source
Crystal Maze
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Eamonn
FINAL FANTASY XI
FlashGet 1.9.0.1012
Free ISO Creator version 2.8
Game Maker 7.0
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB915865)
InterActual Player
ISO Commander 1.6 (remove only)
Java(TM) 6 Update 7
K-Lite Codec Pack 4.0.0 (Full)
Magic ISO Maker v5.5 (build 0261)
Magic ISO Maker v5.5 (build 0272)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.4)
MSXML 6.0 Parser
Nero Suite
NVIDIA Drivers
Oblivion
Oblivion mod manager 1.1.11
Oddworld: Abe's Exoddus
Oddworld: Abe's Oddysee
Otto's Magic Blocks
PDF Settings
PlayOnline Viewer & Tetra Master
Portal
QuickTime
Real Alternative 1.8.0
Realtek High Definition Audio Driver
resident evil 4
SimCity 4 Rush Hour
SPORE™
Spybot - Search & Destroy
Station Launcher
Steam
Team Fortress 2
Unreal Tournament 3 Demo
Vegas Movie Studio Platinum 9.0
Veoh Web Player Beta
VeohTV BETA
VideoLAN VLC media player 0.8.6d
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
WinRAR archiver
World of Warcraft

[Noviciate]

Download Malwarebytes' Anti-Malware from here and save it to your Desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
• If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
• Once the program has loaded, select Perform full scan and then Scan.
• When the scan has finished, click OK and then Show Results to view the results - no surprise there!
• If MBAM finds anything, check the box(es) and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.

[Lif3BlooD]

So far so good it seems,
I did the scan, deleted what it found and it told me to do a system reboot so it could remove what it couldn't.

So far, i haven't had any attacks but before i was getting popup after popup of a 'virsus scan' which im sure was trying to download more stuff to my computer
also i had browser hijacking.

also the pop ups came in 2's


mbam-log

Malwarebytes' Anti-Malware 1.31
Database version: 1495
Windows 5.1.2600 Service Pack 2

12/12/2008 7:27:36 PM
mbam-log-2008-12-12 (19-27-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 180606
Time elapsed: 50 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\ggfvpnlj.dll (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\khfDusPi.dll (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\ekicct.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\oowawf.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\znassm.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\nonrbo.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ca4c1d0-7970-4474-a03c-a3dc223c0236} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0ca4c1d0-7970-4474-a03c-a3dc223c0236} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{fdb8ef1e-95bf-4e0a-ae46-9eb7e983f863} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{17add98d-e963-4040-bcc9-6383e674d437} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bd5bbb31-c29f-4b12-b886-129614a0480a} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ca4c1d0-7970-4474-a03c-a3dc223c0236} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ac0dc79c-c13f-4a64-b7f5-2b35074b9b31} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfutoboxebodamu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bfuguhuqe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\khfduspi -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: d:\windows\system32\khfduspi -> No action taken.

Folders Infected:
D:\Documents and Settings\Josh\Application Data\NI.GSCNS (Trojan.Agent) -> No action taken.

Files Infected:
D:\WINDOWS\system32\khfDusPi.dll (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\iPsuDfhk.ini (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\iPsuDfhk.ini2 (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\ggfvpnlj.dll (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\jlnpvfgg.ini (Trojan.Vundo.H) -> No action taken.
D:\WINDOWS\system32\ekicct.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\oowawf.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\znassm.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\nonrbo.dll (Trojan.Vundo) -> No action taken.
D:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\4TLB2AM2\zc113432[1] (Trojan.Vundo) -> No action taken.
D:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\7TCZE8IZ\index[1] (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\ftivuqmt.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\fxcflmkm.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\gpumwr.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\roybcjii.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\siahgnet.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\gvvlsfgi.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\hriytakw.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\lqcujd.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\jrdoapll.dll (Trojan.Vundo) -> No action taken.
D:\WINDOWS\system32\udpfijkk.dll (Trojan.Vundo) -> No action taken.
D:\Documents and Settings\Josh\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> No action taken.
D:\Documents and Settings\Josh\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> No action taken.
D:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
D:\WINDOWS\owohigusu.dll (Trojan.Agent) -> No action taken.


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:07 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\nvsvc32.exe
d:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\josh.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CA4C1D0-7970-4474-A03C-A3DC223C0236} - (no file)
O2 - BHO: (no name) - {1C18C32F-FE32-48E3-A0B0-CC1FBC5BEE2B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BFC2D9D-3E05-4E3B-826F-471B5033AAD9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C87AEA46-992C-49E2-9B56-B25D6BA9B39B} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BandwidthMeterPro] D:\Program Files\BandwidthMeterPro\BWMeterPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8966318000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22F162B8-5C2F-4F87-8FA9-0DA3556E39BF}: NameServer = 68.87.72.130,68.87.78.130
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll ekicct.dll oowawf.dll znassm.dll nonrbo.dll
O20 - Winlogon Notify: opnoMdAp - opnoMdAp.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: IPSentry Service Manager (SRVIPSEN) - RGE, Inc. - D:\Program Files\RGE INC\IPSentryV5\srvipsen.exe

--
End of file - 7715 bytes

[Noviciate]

All the MBAM detections show as - No action taken. Did you save the log out of step with the instructions, or did you not fix anything?

[Lif3BlooD]

So far so good it seems,
I did the scan, deleted what it found and it told me to do a system reboot so it could remove what it couldn't.

So far, i haven't had any attacks but before i was getting popup after popup of a 'virsus scan' which im sure was trying to download more stuff to my computer
also i had browser hijacking.

also the pop ups came in 2's

Here i quoted myself from the post above, i guess you didn't read the first part
and yeah, my pc was shutting down as the notepad with the log of all deleted virsus's accept for some, which required a reboot

I saved it before i deleted them is basically what I'm saying.

[Noviciate]

i guess you didn't read the first part

I did read it, but it contradicted what the MBAM log said so I checked. Please try to follow the instructions as closely as possible because in certain circumstances it can make a great deal of difference.

Pay a visit to the Kaspersky Online Scanner 7 - I.E. is preferred for this scan.

• Read the Information panel and then click Accept.
• Allow the ActiveX download if necessary.
• Both the anti-virus engine and database will need to be downloaded, which may take a little time.
• Once this has been completed, select My Computer from the Scan section on the left hand side.
• Put the kettle on!
• Although it is recommended by Kaspersky that you should disable your anti-virus scanner before starting this scan, it should work OK with it still active - it does on my PC.
  Although you may find the scan speed increases if you carry out this step, I never like to disable my resident scanner while online, so I don't.
• When the scan has completed, click View scan report at the bottom.
• Click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save and pick a location for the file - the Desktop is always handy.

Copy and paste the report into your next reply along with a fresh HJT log, run in Normal Mode, and a description of how your PC is behaving.

[Lif3BlooD]

Sorry i was gone so long m8, been chilling at a friends house for a couple days
i can't do this at the moment but ill get on it when i have time

thanks for having patience with me.

[NonSuch]

Due to lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.