Adware: Vundo Variant Next Step?

Yesterday I found my computer was infected with several variants of Vundo. I first became aware of a problem when my system ran sluggishly and internet windows with advertising came up randomly. I also got the extortion demands in internet windows for virus software. I believe I got this infection as a result of having an older version of Java on my computer. I believe it was version 1.4. Nevertheless, from reading the forums it was not the latest version.

I ran SuperAntiSpyware and tried to eliminate the virus. However, this did not work until I first uninstalled the old Java program. After I did this SuperAntiSpyware appeared to successfully remove the virus. I ran another SuperAntiSpyware scan and Vundo was not detected. I am not getting random internet pages with advertising anymore. However, I sense that there might still be some issues with Java. Some internet sites load very slowly or not at all.

My question is, should I download and install the newest version of Java (I believe version 1.6)? I was hopeful that this would ensure that Java is under proper control and will hopefully get me to running correctly again. Thank you for any information. :slight_smile:

It is JAVA 1.6 update 5 normally shown as version 6 update 5.

If the sites use JAVA applets then there might be issues as they no longer will be downloaded and run, though I’m not sure this would present itself as slower in loading.
What are these sites and do they specifically use JAVA applets ?

For a very long time I never had JAVA installed as I simply didn’t need it, on dial-up I blocked ads, flash and JAVA to give me more speed, rather than getting more speed by having them. Now however there are a couple of sites that require JAVA and I have it installed and if you are going to have it installed, you must keep it up to date. The only choice is do you actually need JAVA installed.

:slight_smile: Hi Alley :

Which SPECIFIC Version of Java you should have on your computer depends
on which SPECIFIC Operating System you are using !? IF you have Win XP
SP2 or later, should use the latest 1.6 Series; IF you have Win XP SP1 or
earlier , should use the 1.5 Series .

I am running Win XP SP2 and so I installed the 1.6 series of JAVA. Things are much better now but I do notice a slowness in loading of pages sometimes. Could be destination site I guess but I’ll keep a close eye on things and see how it goes. Can’t tell you how much I appreciate the comments you have made and the information in the forums in general. Thank you.

Your welcome.

I ran SuperAntiSpyware again and found another Vundo appearance. Followed instructions for isolating files then restarted computer and got the following message leading me to believe that something is still going on.

Error loading C:\WINDOWS\systems32\qiqbdpnj.dll
The specified module could not be found

Does it appear that I still have a virus problem or have I lost a necessary windows file? Earlier, I tried to perform a system restore and it failed to complete. Any comments? Thank you.

:slight_smile: Hi Alley :

Since you are continuing having problems, I recommend you use “VundoFix”
available from http://vundofix.atribune.org/ ; make sure you follow the
“Normal Usage for Removal:” Instructions .

Hi alleycat. That file would be a vundo file that was removed by avast. The regkey it’s running from is still active. Follow up on Spiritsongs" suggestion.

I wondered if that might be the case, a remaining file trying to reassert itself. I downloaded and ran “Vundo-Fix” as instructed but it came back saying it detected no infected files.

Ok, run this, please follow all the instructions exactly.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

.
Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

OK. I hope I did everything correctly. I stopped Avast On-Access Protection and disabled my firewall in windows. First, I ran Combo-Fix. The resultant log exceeds posting limitations so I will poat in several section. Sorry. Report from that operation is as follows:

ComboFix 08-03-14.2 - RF 2008-03-14 16:23:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2432 [GMT -4:00]
Running from: C:\Documents and Settings\RF\Desktop\Combo-Fix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\fse
C:\WINDOWS\BM9f886d86.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcaxvu.dll
C:\WINDOWS\system32\dysxiewj.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\stutv.ini2
C:\WINDOWS\system32\uqjbpacb.dll
C:\WINDOWS\system32\wsfvyved.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_SFSYNC02
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-14 12:06 . 2008-03-14 12:06 d-------- C:\VundoFix Backups
2008-03-12 11:37 . 2008-03-12 19:10 1,320,312 —hs---- C:\WINDOWS\SYSTEM32\jnpdbqiq.ini
2008-03-12 10:15 . 2008-03-12 10:24 1,319,812 —hs---- C:\WINDOWS\SYSTEM32\ghkgnfgv.ini
2008-03-12 05:43 . 2008-03-12 09:30 1,320,223 —hs---- C:\WINDOWS\SYSTEM32\tqpsxchn.ini
2008-03-11 17:25 . 2008-03-11 17:25 37,376 --a------ C:\WINDOWS\SYSTEM32\tuvvuvs.dll.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 09:48 --------- d-----w C:\Program Files\Java
2008-03-13 13:21 --------- d-----w C:\Program Files\Common Files\Real
2008-03-12 22:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-12 17:19 --------- d-----w C:\Program Files\iTunes
2008-02-12 17:19 --------- d-----w C:\Program Files\iPod
2008-02-12 17:18 --------- d-----w C:\Program Files\QuickTime
2008-02-05 01:37 75,696 ----a-w C:\Documents and Settings\Robert Ferrara\Application Data\GDIPFONTCACHEV1.DAT
2008-01-14 00:14 --------- d–h–w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 12:24 1694208]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [2007-02-18 00:48 67128]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 06:00 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-14 00:33 68856]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-03-11 17:33 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IAAnotif”=“C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe” [2004-06-29 12:23 135168]
“CTSysVol”=“C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe” [2003-09-17 11:43 57344]
“CTDVDDET”=“C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE” [2003-06-18 02:00 45056]
“UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 02:00 90112]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2005-05-31 06:33 122941]
“Kernel and Hardware Abstraction Layer”=“KHALMNPR.EXE” [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
“Launch LCDMon”=“C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe” [2006-11-09 12:45 549376]
“Launch LGDCore”=“C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe” [2006-11-09 13:10 1126400]
“CTHelper”=“CTHELPER.EXE” [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
“CTxfiHlp”=“CTXFIHLP.EXE” [2006-08-11 14:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 11:09 63712]
“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2008-02-01 00:13 385024]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-02-04 15:18 267048]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]
“9cbb5e1a”=“C:\WINDOWS\system32\qiqbdpnj.dll”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Norton SystemWorks”=“C:\Program Files\Norton SystemWorks\cfgwiz.exe”

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-05 13:40:48 113664]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 16:50:16 577597]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 02:31:35 442368]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-18 00:48:22 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“RealTray”=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
“DVDLauncher”=“C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
“SunJavaUpdateSched”=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
“ISUSPM Startup”=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
“CTHelper”=CTHELPER.EXE
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Games\World of Warcraft\WoW-1.5.0-enUS-downloader.exe”=
“C:\Games\World of Warcraft\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe”=
“C:\WINDOWS\SYSTEM32\RUNDLL32.EXE”=
“C:\WINDOWS\SYSTEM32\DPVSETUP.EXE”=
“C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Civilization4.exe”=
“C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords.exe”=
“C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords_PitBoss.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Games\THQ\Company of Heroes\RelicCOH.exe”=
“C:\Games\Atari\Neverwinter Nights 2\nwn2main.exe”=
“C:\Games\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe”=
“C:\Games\Atari\Neverwinter Nights 2\nwupdate.exe”=
“C:\Games\Atari\Neverwinter Nights 2\nwn2server.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“C:\Games\SEGA\Medieval II Total War\medieval2.exe”=
“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=
“C:\Games\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe”=
“C:\Games\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe”=
“C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Beyond the Sword\Civ4BeyondSword.exe”=
“C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe”=
“C:\Games\Sierra Entertainment\World in Conflict\wic.exe”=
“C:\Games\Sierra Entertainment\World in Conflict\wic_online.exe”=
“C:\Games\Sierra Entertainment\World in Conflict\wic_ds.exe”=
“C:\Program Files\iTunes\iTunes.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3724:TCP”= 3724:TCP:Blizzard Downloader
“6112:TCP”= 6112:TCP:Blizzard Downloader
“5353:UDP”= 5353:UDP:Bonjour

R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 15:16]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-03-07 22:45:48 C:\WINDOWS\Tasks\1-Click Maintenance.job”

  • C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
    “2008-03-04 17:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    “2008-03-14 00:10:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{11FC913C-DF0E-48B3-B14E-D588FCCD1661}.job”
  • C:\WINDOWS\system32\msfeedssync.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 16:28:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.


.
Completion time: 2008-03-14 16:34:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 20:34:28
.
2008-03-12 07:03:04 — E O F —

HJT report as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:12 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\RF\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] “C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE”
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [Launch LCDMon] “C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe”
O4 - HKLM..\Run: [Launch LGDCore] “C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe” /SHOWHIDE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [9cbb5e1a] rundll32.exe “C:\WINDOWS\system32\qiqbdpnj.dll”,b
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [Norton SystemWorks] “C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Norton SystemWorks] “C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134718858390
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


End of file - 11171 bytes

Not bad, let’s see if we can get the rest.

BTW, you can attach the logs, by using the additional options button on the reply page. You may have to scroll down a little to see the browse button.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM..\Run: [9cbb5e1a] rundll32.exe “C:\WINDOWS\system32\qiqbdpnj.dll”,b
ALL OF THE 015 LINES

Close all other browsers/windows, click fix, close HJT.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
C:\WINDOWS\SYSTEM32\jnpdbqiq.ini
C:\WINDOWS\SYSTEM32\ghkgnfgv.ini
C:\WINDOWS\SYSTEM32\tqpsxchn.ini
C:\WINDOWS\SYSTEM32\tuvvuvs.dll.vir
C:\WINDOWS\SYSTEM32\tuvvuvs.dll
C:\WINDOWS\system32\qiqbdpnj.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000000

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

[b]note[\b] when doing the combofix fix

Complied with your instructions. Checked the 04 entry for running qiqbdpnj.dll and checked all 015, trusted sites, entries and executed the fix instruction. Copied and dropped script file onto Combo-fix and the program commenced as you said it would. Am attaching report logs as instructed. Have to do in separate posts because I am unsure how to post both together in a single attachment. Combo-Fix file attached to this post…

HJT report attached to this post…

Again, my sincerest thanks for your help. BTW the error message for running qiqbdpnj.dll appears to have been put to rest. ;D Also, internet load sppeds on some of the sites I was having difficulty with seems to have improved. I feel like I’ve shaken a load of fleas off of me lol.