Help HJT please

[jholland1964]

I still can't get the AVG report to save. Do you think that because I am running on outdated software, I won't be able to save it?

Take a look at my attached.
Do you have this option selected in your AVG program?

[vancek]

Yeah, that's how I have it.

[jholland1964]

Download AVG Rootkit Scanner
Run that and allow it to fix anything found. Try to save a log if given the option.

[vancek]

Run it in safe mode or normal?

[jholland1964]

normal

[vancek]

Thanks for your help.

[jholland1964]

1. Download Vundo Fix and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click Yes
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

• Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next post.

Did you do this?
Run the Microsoft® Windows® Malicious Software Removal Tool

I also would like you to run at least two of these online scanners and have them fix anything found, please also save any logs they generate.

• Panda Active Scan

• Trend Micro Online Virus Scan

• BitDefender Online Scan

After you have completed ALL of the above steps then run HJT again and post that new log along with the VundoFix log and any logs from the online scans

[vancek]

Thanks again.

[jholland1964]

I will go through your logs and get back with you later in the day.
Can you run a NEW HiJackThis scan and post the log here please?
This will help me to know what remains.
Thanks!
Judy
P.S. Am I correct in presuming the activescan log is a Panda scan?

[jholland1964]

We really need to get this computer clean as fast as possible. As long as you use this infected computer the more infected it can become because everything is so out of date.

Now I notice from your VundoFix log that you have run this program 23 times since July 17th. This is one full month BEFORE you posted here about your problems AND when you did post your problem you made absolutely NO MENTION that you had previously run the VundoFix. I thought it possible when I saw your first HJT log, but...since you failed to mention it then, probably wrongly on my part, I neglected to ask if you had OR suggest that you do run it. I did see remnants of it in your Kaspersky log but since you didn't mention it I didn't realize you had run it within the last month, one reason being the computer was so out of date I thought, wrongly on my part, that it was the result of a previous infection, not a current one. When you post on a forum you must give all pertinent details of ALL the symptoms and ALL the steps you have taken. And I see that you also ran VundoFix at least once on August 19th, before I requested it on the 22nd, but you again failed to report this or post the log.
If you looked at any of those logs you would have seen that the very first thing the VundoFix does is check the Java version and on each and every one of these logs it says;

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Yet you neglected to do this. Each and every log shows pretty much the same files BUT each and every log also shows NEW instances of this infection because, yes you ran the fix but you did not follow up and manually check for these files and remove them and you did not update the java. Your computer has been infected for at least a month longer than it should have been.

I have another program I want you to download and run;

CleanXP+
by our own Turcoloco

This MUST be run in SAFE MODE.
Once in save mode double click CleanXP+ to run the program.
It will run a standard cleanup first of all the temp, Temporary Internet Files, Cookies, History and Recent,
Prefetch and Recycle Bin files on the system. After the standard cleanup, the program will prompt the user to see if a specific file/folder to be removed.
Please choose Option 1. Remove a File:
These are the files which need to be removed if they remain and the full path to the file must be listed, exactly as they are below. You might save this list to a text file on the computer so that you can copy paste these into the program as you will not be able to refer to this post while in SAFE MODE. I also suggest that you print it out.
C:\WINDOWS\System32\awtqn.dll
C:\WINDOWS\System32\awtsq.dll
C:\WINDOWS\System32\awvvt.dll
C:\WINDOWS\System32\cbadd.bak1
C:\WINDOWS\System32\cbadd.bak2
C:\WINDOWS\System32\cbadd.ini
C:\WINDOWS\System32\cbadd.ini2
C:\WINDOWS\System32\cbadd.tmp
C:\WINDOWS\System32\cfhkj.bak1
C:\WINDOWS\System32\cfhkj.bak2
C:\WINDOWS\System32\cfhkj.ini
C:\WINDOWS\System32\ddabc.dll
C:\WINDOWS\System32\ddayv.dll
C:\WINDOWS\System32\ehhkj.bak1
C:\WINDOWS\System32\ehhkj.bak2
C:\WINDOWS\System32\ehhkj.ini
C:\WINDOWS\system\ewbmcd.dll
C:\WINDOWS\System32\gebya.dll
C:\windows\system32\gvijuwkv.exe
C:\WINDOWS\System32\ihhkj.bak1
C:\WINDOWS\System32\ihhkj.ini
C:\WINDOWS\System32\ihkmp.bak1
C:\WINDOWS\System32\ihkmp.bak2
C:\WINDOWS\System32\ihkmp.ini
C:\WINDOWS\System32\ihkmp.ini2
C:\WINDOWS\System32\ihkmp.tmp
C:\WINDOWS\System32\jkhfc.dll
C:\WINDOWS\System32\jkhhe.dll
C:\WINDOWS\System32\jkhhi.dll
C:\windows\system32\kjbmqyjx.exe
C:\windows\system32\ljywwkbe.exe
C:\WINDOWS\System32\mlnmp.bak1
C:\WINDOWS\System32\mlnmp.bak2
C:\WINDOWS\System32\mlnmp.ini
C:\WINDOWS\System32\mlnmp.ini2
C:\WINDOWS\System32\mlnmp.tmp
C:\WINDOWS\System32\mljge.dll
C:\windows\system32\oasfkrcl.exe
C:\WINDOWS\System32\pmkhi.dll
C:\WINDOWS\System32\pmnlm.dll
C:\WINDOWS\System32\qstwa.bak1
C:\WINDOWS\System32\qstwa.bak2
C:\WINDOWS\System32\qstwa.ini
C:\WINDOWS\System32\ssqpn.dll
C:\WINDOWS\System32\ssttt.dll
C:\WINDOWS\System32\tttss.bak1
C:\WINDOWS\System32\tttss.bak2
C:\WINDOWS\System32\tttss.ini
C:\WINDOWS\System32\tvvwa.ini
C:\WINDOWS\System32\tvvwa.bak1
C:\WINDOWS\System32\tvvwa.bak2
C:\WINDOWS\System32\vyadd.bak1
C:\WINDOWS\System32\vyadd.bak2
C:\WINDOWS\System32\vyadd.ini
C:\WINDOWS\System32\vtutq.dll
C:\windows\system32\xqorkpqy.exe

Run CleanXP+ and then reboot into normal mode and run First a VundoFix again and then run HiJackThis and post these two new logs in your next post. Please don't use the computer for anything else until given the ok.