sean56a

Hello,

If someone could please help me with my virus problem I would be forever thankful. It started with some .dll error messages and explorer crashes. Symantec Client Security, then AVG after I switched, kept finding trojans and such, including Metajuan and BHO.DFZ. Unfortunately I can't seem to rid myself of whatever it is that is currently infecting the machine. Explorer keeps crashing from time to time. CPU use skyrockets randomly.

I run an ASUS A8JS laptop with Vista fully updated. I have 2 gigs of RAM, my CPU is a Core 2 Duo running at 2.00 GHz, and my hard drive is split into two NTFS partitions, one 66 and the other 44 gigabytes.
AVG is up to date, as are Ad-Aware, Spybot, and HJT. I run TweakNow registry cleaner every time I uninstall a program, though I noticed the pinned announcement in this forum regarding registry cleaners. I have run all scans since I first noticed the virus(es).

The RunDLL messages keep popping up on startup with what appear to be random strings of letters as the .dll files. They read: "Error loading C:\Users\Sean\AppData\Local\Temp\mllmj.dll [or] svlsdvlj.dll...etc." Running the scans now appears to have little effect. So, what can I do at this point? Anyone who has read this, I appreciate your help immensely. I find it incredible that people will help complete strangers over the anonymous Internet. So thanks.
Here's what's in my virus vault.

Virus found Lop C:\Users\Sean\AppData\Local\Temp\mllmj.dll 03/01/08 09:02 PM mllmj.dll 282.5 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\efcde.dll 02/29/08 07:26 PM efcde.dll 36 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SDC1PUHE\cmp638[1] 02/29/08 07:27 PM cmp638[1] 89.5 KB
Virus found Win32/PolyCrypt C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4PKRK5XS\hctp[1] 02/29/08 07:27 PM hctp[1] 82.5 KB
Virus found Lop C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXGN8SY2\ptch[2] 02/29/08 07:27 PM ptch[2] 86.5 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SDC1PUHE\cmp638[1] 03/01/08 08:54 PM cmp638[1] 89.5 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\mllmj.dll 03/01/08 08:54 PM mllmj.dll 282.5 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\aqeptljw.dll 02/28/08 07:55 PM aqeptljw.dll 83 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\dlijkwxj.dll 02/28/08 07:55 PM dlijkwxj.dll 83 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\mitekocw.dll 02/28/08 07:55 PM mitekocw.dll 82.56 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\obrwghii.dll 02/28/08 07:55 PM obrwghii.dll 88.56 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\ogyrbnhy.dll 02/28/08 07:55 PM ogyrbnhy.dll 87 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\rwvokwtt.dll 02/28/08 07:55 PM rwvokwtt.dll 88.56 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\sigbuhak.dll 02/28/08 07:55 PM sigbuhak.dll 83 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\svlsdvlj.dll 02/28/08 07:55 PM svlsdvlj.dll 88 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\tkbxaege.dll 02/28/08 07:55 PM tkbxaege.dll 83 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\usjhjlcw.dll 02/28/08 07:55 PM usjhjlcw.dll 88 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\wmpffkfx.dll 02/28/08 07:55 PM wmpffkfx.dll 84 KB
Trojan horse PSW.Generic4.TGX C:\Users\Sean\Documents\Downloads\WinRar 3.7 [CRACK INCLUDED 1 jun 2007]\keygen.exe 02/28/08 07:55 PM keygen.exe 310.17 KB
Virus found Lop C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4PKRK5XS\ptch[1] 03/01/08 10:49 PM ptch[1] 87.5 KB
Virus found Lop C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXGN8SY2\hctp[1] 03/01/08 10:49 PM hctp[1] 83.5 KB
Trojan horse Generic9.AQNO C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SDC1PUHE\tr[1] 03/01/08 10:49 PM tr[1] 160 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Temp\fvbmkxcy.dll 03/01/08 10:49 PM fvbmkxcy.dll 89.56 KB
Trojan horse Generic9.AQNO C:\Users\Sean\AppData\Local\Temp\jvimpghb.dll 03/01/08 10:49 PM jvimpghb.dll 160 KB
Virus found Lop C:\Users\Sean\AppData\Local\Temp\mllmj.dll 03/01/08 10:49 PM mllmj.dll 282.5 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Temp\sqjhubdv.dll 03/01/08 10:49 PM sqjhubdv.dll 89.56 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp0000dae3 03/01/08 10:49 PM tmp0000dae3 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp0000e86a 03/01/08 10:49 PM tmp0000e86a 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp0000f278 03/01/08 10:49 PM tmp0000f278 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp00010e61 03/01/08 10:49 PM tmp00010e61 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp000115a2 03/01/08 10:49 PM tmp000115a2 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp00011adf 03/01/08 10:49 PM tmp00011adf 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp00013aed 03/01/08 10:49 PM tmp00013aed 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp0001404a 03/01/08 10:49 PM tmp0001404a 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp0002ba0b 03/01/08 10:49 PM tmp0002ba0b 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp00108b9c 03/01/08 10:49 PM tmp00108b9c 36 KB
Trojan horse BHO.DGP C:\Users\Sean\AppData\Local\Temp\tmp026a335b 03/01/08 10:49 PM tmp026a335b 36 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Temp\uxhbctmy.dll 03/01/08 10:49 PM uxhbctmy.dll 89.56 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Temp\ykfhjgrv.dll 03/01/08 10:49 PM ykfhjgrv.dll 89.56 KB
Trojan horse BHO.DFZ C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SDC1PUHE\cmp638[1] 02/29/08 07:13 PM cmp638[1] 89.5 KB
Trojan horse Generic9.AQNO C:\Users\Sean\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4PKRK5XS\tr[1] 02/29/08 07:16 PM tr[1] 160 KB




AND here is my recent HJT logfile:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:10:27 PM, on 3/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Sean\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HControl] C:\Windows\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2105603624-3057086846-2865395022-1004\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Sean')
O4 - HKUS\S-1-5-21-2105603624-3057086846-2865395022-1004\..\Run: [MS Juan] rundll32 "C:\Users\Sean\AppData\Local\Temp\svlsdvlj.dll",run (User 'Sean')
O4 - HKUS\S-1-5-21-2105603624-3057086846-2865395022-1004\..\Run: [cmds] rundll32.exe C:\Users\Sean\AppData\Local\Temp\mllmj.dll,c (User 'Sean')
O4 - HKUS\S-1-5-21-2105603624-3057086846-2865395022-1004\..\Run: [b86aab02] rundll32.exe "C:\Users\Sean\AppData\Local\Temp\mitekocw.dll",b (User 'Sean')
O4 - HKUS\S-1-5-21-2105603624-3057086846-2865395022-1004\..\Run: [MSServer] rundll32.exe C:\Users\Sean\AppData\Local\Temp\efcde.dll,#1 (User 'Sean')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open With GetRight Browser - C:\Program Files\GetRight\GRdownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsu...?1169827428125
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFAF5E0-68ED-4E09-9F4C-A73E6434C6F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DFAF5E0-68ED-4E09-9F4C-A73E6434C6F8}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DFAF5E0-68ED-4E09-9F4C-A73E6434C6F8}: NameServer = 68.105.28.11,68.105.29.11
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PRTG Service (PRTGService) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: PRTG Watchdog (prtgwatchservice) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\watchdog\prtgwatchdog.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe



Thanks again!

mattlock

Hello Sean and Welcome to TSF.

To get assistance with cleansing your system of malware please follow the 5 steps in the link below and post your log the Hijackthis forum. Our Security team is very busy so you're patients is appreciated. If nobody has replied to your post after 72hrs, reply to said post with the word "Bump".

IMPORTANT - Read This Before Posting For Malware Removal Help

I'm closing this thread to prevent unqualified persons from offering assistance.

__________________
Matt