Virus cant be cleaned by avast on boot scan

I have this virus named bkeebsdo.dll that avast cant delete even on bootscan…,
It pops up so many times and runs iexplore.exe without the browser(I never use internet explorer for browsing), and gets my cpu usage to 100%
I desperately need help on this :o
here is a hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:49 PM, on 5/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jccatch.dll (file missing)
O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM..\Run: [PC Suite for Smartphones] “C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [mRouterConfig] “C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe”
O4 - HKLM..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


End of file - 6630 bytes

thank you and godbless.


Welcome to the forums, nikkoh901. :slight_smile:

An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

Platform: Windows XP SP2 (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

C:\WINDOWS\system32\csrcs.exe
BAD entry. Added by the W32/Spybot-EI worm. When started, this infection connects to a remote IRC server where it waits for commands to execute.
http://www.bleepingcomputer.com/startups/CSRCS.EXE-13520.html
The unsafe files using this name are associated with the malware groups:
Cloaked Malware
Worm
Malware Downloader
http://www.prevx.com/filenames/2796897928681251764-X1/CSRCS.EXE.html

C:\PROGRA~1\CAFEMA~1\CafeManila.exe
Questionable entry. There are cracked versions of this cyber cafe management program. Hopefully, you are not using a cracked version.

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
BAD entry. Added by the W32/Spybot-EI worm. When started, this infection connects to a remote IRC server where it waits for commands to execute.
http://www.bleepingcomputer.com/startups/CSRCS.EXE-13520.html
The unsafe files using this name are associated with the malware groups:
Cloaked Malware
Worm
Malware Downloader
http://www.prevx.com/filenames/2796897928681251764-X1/CSRCS.EXE.html

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jccatch.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. jccatch.dll - FlashGet

O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll
Questionable entry. There are no search results. Therefore, this is a very suspicious entry.

O4 - HKLM..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
BAD entry. Added by the W32/Spybot-EI worm. When started, this infection connects to a remote IRC server where it waits for commands to execute.
http://www.bleepingcomputer.com/startups/CSRCS.EXE-13520.html
The unsafe files using this name are associated with the malware groups:
Cloaked Malware
Worm
Malware Downloader
http://www.prevx.com/filenames/2796897928681251764-X1/CSRCS.EXE.html

O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll
Questionable entry. There are no search results. Therefore, this is a very suspicious entry.
This Registry value located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it; most often it is used by trojans or agressive browser hijackers.


(1) There is a newer service pack available [XP SP3] available via Microsoft Update…

-= C:\WINDOWS\system32\csrcs.exe
This can be a cloaked malware… Try sending it to VirusTotal for further analysis…

-= C:\PROGRA~1\CAFEMA~1\CafeManila.exe
From what I know, this is a cyber cafe management software… But I cannot assure the harmlessness…

-= F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
Part of csrcs.exe…

-= O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jccatch.dll (file missing)
This is already deactivated & can be fixed…

-= O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll
Unknown application…

O4 - HKLM..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
Part of csrcs.exe…

-= O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll
Unknown… Might be part of c:\windows\system32\bzifsst.dll

-= Try downloading Malwarebytes Antimalware
or SuperAntiSpyware, install, update & run a scan…

-= Whoa… Sorry, I didn’t notice that Charley already replied… Sorry if I might have doubled any response… Sorry again…

ohh thanks for the time…
any suggestions on what I should do to clean my system?


Try the suggestions by chronoboi001 in his post above.

Overview of running tasks from above HJT log :

smss.exe
System task
Session Manager Subsystem

csrss.exe
System task
Microsoft Client/Server Runtime Server Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

nvsvc32.exe
Application
NVIDIA Driver Helper Service

svchost.exe
System task
Microsoft Service Host Process

ashWebSv.exe
Virusscan
avast! Web Scanner

wscntfy.exe
System task
Microsoft Windows Security Center

alg.exe
System task
Application Layer Gateway Service

csrcs.exe
Virus
CSRCS.Exe

RUNDLL32.EXE
System task
Microsoft Rundll32

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

ashDisp.exe
Virusscan
Avast AntiVirus

jusched.exe
Backgroundtask
Sun Java Update Scheduler

VMSnap3.EXE
Unknown task
Unknown task

Domino.EXE
Unknown task
Unknown task

LAUNCH~1.EXE
Backgroundtask
PC Suite

msmsgs.exe
Application
MSN Messenger

mRouterConfig.exe
Backgroundtask
Intuwave Connection Manager

mRouterRuntime.exe
Unknown task
Unknown task

ServiceLayer.exe
Backgroundtask
Nokia Connectivity Library

ymsgr_tray.exe
Backgroundtask
Yahoo! Messenger Server Traybar

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

rundll32.exe
System task
Microsoft Rundll32

svchost.exe
System task
Microsoft Service Host Process

explorer.exe
System task
Microsoft Windows Explorer

taskmgr.exe
System task
The Windows Task Manager.

CafeManila.exe
Unknown task
Unknown task

iexplore.exe
Application
Microsoft Internet Explorer

firefox.exe
Application
Mozilla Firefox

HijackThis.exe
Application
Merijn Hijackthis

wmiprvse.exe
System task
Microsoft Windows Management Instrumentation


EDIT :

Both VMSnap3.EXE & Domino.EXE are cloaked malware.
http://www.prevx.com/filenames/2129164194144577361-X1/VMSNAP3.EXE.html
Both these executables come bundled with the drivers for some webcams.


my internet is so slow for an update =(

thanks for your replies…sorry for double post

Order the SP3 CD:
http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx

That will bring the system up to SP3 level but there will still be a few updates to download.

You should go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Looks like you are using IE6 which is quite vulnerable and IE7 is much better and now IE8 is available but it requires adequate RAM on the system.

a scan of MBAM showed this

Malwarebytes’ Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 2

5/10/2009 6:58:20 PM
mbam-log-2009-05-10 (18-58-14).txt

Scan type: Quick Scan
Objects scanned: 81594
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ntkqxhnf (Trojan.Vundo.H) → No action taken.
HKEY_CLASSES_ROOT\CLSID{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2f364306-aa45-47b5-9f9d-39a8b94e7ef7} (Trojan.BHO.H) → No action taken.
HKEY_CLASSES_ROOT\CLSID{2f364306-aa45-47b5-9f9d-39a8b94e7ef7} (Trojan.BHO.H) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vnahnyop (Trojan.Vundo.H) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vnahnyop (Trojan.Vundo.H) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vnahnyop (Trojan.Vundo.H) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → No action taken.
HKEY_CLASSES_ROOT\CLSID{01f4ae76-3d20-4487-9ded-23781862dfed} (Trojan.Vundo) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{01f4ae76-3d20-4487-9ded-23781862dfed} (Trojan.Vundo) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) → Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bzifsst.dll (Trojan.Vundo.H) → No action taken.
C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jccatch.dll (Trojan.BHO.H) → No action taken.
C:\WINDOWS\system32\gqkrrqm.dll (Trojan.Vundo.H) → No action taken.
C:\WINDOWS\system32\bkeebsdo.dll (Trojan.Vundo) → No action taken.
C:\WINDOWS\system32\drivers\8991e144.sys (Rootkit.Rustock) → No action taken.
C:\Documents and Settings\kim\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLC7290F\ggcqqdde[1].htm (Trojan.Boaxxe) → No action taken.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) → No action taken.
C:\end (Trojan.FakeAlert) → No action taken.

once again thank you for your time

Have MBAM remove what it finds.


Run MBAM again and let it quarantine/remove what is found. Post the new log.


ok and thanks again :slight_smile:

how can I quarantine if mbam only shows remove selected?

sorry for noob question


Then, let it remove as Yokenny suggested.


heres the new log

Malwarebytes’ Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 2

5/10/2009 7:06:01 PM
mbam-log-2009-05-10 (19-06-01).txt

Scan type: Quick Scan
Objects scanned: 81594
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ntkqxhnf (Trojan.Vundo.H) → Delete on reboot.
HKEY_CLASSES_ROOT\CLSID{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2f364306-aa45-47b5-9f9d-39a8b94e7ef7} (Trojan.BHO.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{2f364306-aa45-47b5-9f9d-39a8b94e7ef7} (Trojan.BHO.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vnahnyop (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vnahnyop (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vnahnyop (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{8cccc570-ac8b-4f5d-bb05-d4290c99cc78} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{01f4ae76-3d20-4487-9ded-23781862dfed} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{01f4ae76-3d20-4487-9ded-23781862dfed} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) → Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bzifsst.dll (Trojan.Vundo.H) → Delete on reboot.
C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jccatch.dll (Trojan.BHO.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\gqkrrqm.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\bkeebsdo.dll (Trojan.Vundo) → Delete on reboot.
C:\WINDOWS\system32\drivers\8991e144.sys (Rootkit.Rustock) → Delete on reboot.
C:\Documents and Settings\kim\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLC7290F\ggcqqdde[1].htm (Trojan.Boaxxe) → Quarantined and deleted successfully.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\end (Trojan.FakeAlert) → Quarantined and deleted successfully.

let me reboot my system to see if the files get deleted

this is my new hijack this log…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:52 PM, on 5/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM..\Run: [PC Suite for Smartphones] “C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [mRouterConfig] “C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe”
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


End of file - 5933 bytes

and again thanks for all your help


These 2 are still there …

O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll

O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll

Close all windows/programs, run HJT again, click the box to the left of the above 2 entries, scroll down and click on “Fix checked” button. Please do not do anything while HJT does the fix.


nothing happens…
those two entries stay the same

seems nothing happened I’m back to 100% usage again…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:27 AM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {8cccc570-ac8b-4f5d-bb05-d4290c99cc78} - c:\windows\system32\bzifsst.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM..\Run: [PC Suite for Smartphones] “C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [mRouterConfig] “C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe”
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\kim\LOCALS~1\Temp\RarSFX0\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: ntkqxhnf - C:\WINDOWS\SYSTEM32\bzifsst.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


End of file - 6138 bytes

=(