I share this computer with my roomate, and we both pretty much spend the same amount of time on it. Recently I've been experiencing huge slowdown. Today it got so much worse. I noticed something called the Mirar toolbar that I couldn't disable, and any of my actions took minutes to complete that would normally take a second. So I googled "how to remove Mirar toolbar" and that eventually lead to me downloading Spyware Doctor. It picked up a few things but I can't remove them without being registered. I get maybe 30 Malicious Actions blocked a minute, and it's incredibly annoying.AVG Anti Virus is doing a scan now but it hasn't picked up anything yet.

Attached is a HijackThis log, if anyone could help me it would be greatly appreciated!


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:42:09 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Larry\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll
O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [jiahus] C:\WINDOWS\system32\svchcs.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 8745 bytes

Holy Cow!! What a selection!
First things first, so please do these things in this order:
For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please? And move it to a new folder, say alongside your pgm files folder.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Read the log - if any files it found were not deleted re-run Vundofix until they are all deletion attempts are successful.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sect...s/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
...or this new one: http://download.bleepingcomputer.com...a/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Do you have a special desktop backgound? Or is there a new one you did not put there? If that O24 entry means nothing to you, rclick on a blank space on your desktop, go properties, desktop, customize desktop, web, select all components you do not want and delete them. Then navigate to this file and delete it:
C:\Program Files\Internet Explorer\rteremejyfs.html
Come back with those logs..
Btw, I hope you set AVG AS recommended actions to Quarantine....

Vundofix found 3 vundo, entitled "efhkj.bak1.bad" "efhkj.ini.bad" and "jkhfe.dll.bad"

When you say "logs" do you mean from HijackThis?

Here's the log from ComboFix.






ComboFix 07-06-18.2 - C:\Documents and Settings\Larry\Desktop\ComboFix.exe
"Larry" - 2007-06-25 23:06:44 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\inetget2
C:\Program Files\Internet Explorer\rteremejyfs.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\web buying
C:\Program Files\web buying\v1.7.4\wbuninst.exe
C:\Program Files\web buying\v1.7.4\webbuying.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))

2007-06-25 23:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 22:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-25 22:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-25 21:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-25 20:41 1,308,216 --a------ C:\Program Files\imsubtle.exe
2007-06-25 20:24 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-25 20:24 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-25 20:24 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-25 20:24 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-25 20:24 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-25 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\PC Tools
2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-25 20:23 31,254 --a------ C:\WINDOWS\system32\xxyvsrr.dll
2007-06-25 20:18 <DIR> d-------- C:\Program Files\WinPop
2007-06-25 20:15 31,254 --a------ C:\WINDOWS\system32\opnmlmm.dll
2007-06-25 20:15 172,544 --a------ C:\WINDOWS\system32\bxvymww.dll
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B4
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B3
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B2
2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B1
2007-06-25 20:15 <DIR> d-------- C:\Temp\iee
2007-06-25 20:15 <DIR> d-------- C:\Temp
2007-06-25 00:50 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-06-24 22:05 <DIR> d-------- C:\Program Files\Psicraft
2007-06-24 22:05 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Psicraft
2007-06-24 21:35 <DIR> d-------- C:\Program Files\Line6
2007-06-24 21:35 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Line 6

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-26 03:22:22 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Xfire
2007-06-26 03:21:56 -------- d-s---w C:\Program Files\Xfire
2007-06-26 02:51:45 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-06-26 02:46:32 -------- d-----w C:\Program Files\Google
2007-06-26 00:35:57 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Google
2007-06-26 00:15:29 -------- d-----w C:\Program Files\Windows NT
2007-06-23 13:41:51 -------- d-----w C:\Program Files\World of Warcraft
2007-06-19 19:04:30 -------- d-----w C:\Program Files\GCH Guitar academy
2007-06-19 03:43:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\IGN_DLM
2007-06-16 05:16:32 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-06-08 03:42:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-02 22:58:50 -------- d-----w C:\Program Files\Steam
2007-05-20 00:20:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:51:20 -------- d-----w C:\Program Files\AGEIA Technologies
2007-05-09 01:51:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 01:46:54 -------- d-----w C:\Program Files\Timeline Interactive
2007-05-05 06:52:33 -------- d-----w C:\Program Files\e frontier
2007-04-27 18:30:05 -------- d-----w C:\Program Files\Common Files\Alias Shared
2007-04-27 18:28:06 -------- d-----w C:\Program Files\Autodesk
2007-04-27 00:17:01 -------- d-----w C:\Program Files\Alias
2007-04-27 00:10:28 -------- d-----w C:\Program Files\Common Files\AliasWavefront Shared
2007-04-27 00:07:41 -------- d--h--w C:\Program Files\Zero G Registry
2007-04-26 22:12:43 -------- d-----w C:\Program Files\eMedia Guitar Method 1
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 17:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 17:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 17:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 17:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 17:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 17:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 17:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 17:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 17:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-19 17:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 17:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-19 17:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 17:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 17:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 17:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-19 17:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-19 17:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 17:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-19 17:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-19 17:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-19 17:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-19 17:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 17:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 17:26:00 2,973,696 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-19 17:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-02-23 07:57:59 88 --sh--r C:\WINDOWS\system32\4BFB238848.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{4A168249-1BF9-4A1D-965C-3EC04A69736B}=C:\Program Files\Windows NT\mewofyn83122.dll [2007-06-18 14:59]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}=C:\WINDOWS\system32\WinNB58.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\opnmlmm.dll [2007-06-25 20:15]
{E62D925C-87E0-41DB-8EAF-4019C079FD96}=C:\WINDOWS\system32\jkhfe.dll []
{f692398e-2c9c-4a4d-96e8-b1520eeac2c8}=C:\WINDOWS\system32\bxvymww.dll [2007-06-25 20:15]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" []
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"Cmaudio"="cmicnfg.cpl" []
"@"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"atwtusb"="atwtusb.exe" [2005-02-03 10:37 C:\WINDOWS\system32\atwtusb.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpData"="C:\WINDOWS\system32\svch0st.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 18:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Steam"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
"Outerinfo"="C:\Program Files\Outerinfo\Outerinfo.exe" []
"OuterinfoUpdate"="C:\Program Files\Outerinfo\OuterinfoUpdate.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" [2007-06-25 20:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-25 20:30]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\rteremejyfs.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\opnmlmm.dll" [2007-06-25 20:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmlmm]
opnmlmm.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a15a5a0-aa57-11db-a05a-9ccc57198468}]
AutoRun\command- F:\LaunchU3.exe -a

**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 23:21:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-25 23:23:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 23:23
--- E O F ---



Sadly, Mirar and all it's little pop-up pals are still bugging me almost constantly, but there is definitely a change in performance so far.

Post the contents of C:\vundofix.txt. Plus a fresh hijackthis log. And we've barely started on the fix...

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.10
Scan started at 4:29:54 PM 4/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 8:25:04 PM 6/25/2007
Listing files found while scanning....

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:15:58 PM 6/25/2007
Listing files found while scanning....
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\jkhfe.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhfe.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:53:31 PM 6/25/2007
Listing files found while scanning....
No infected files were found.




Hijack This Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:30:09 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 7663 bytes


I didn't mean to imply that this was going slow or anything, I just wanted to say that my computer has sped up by a bit.

That's ok, still a lot of work to do. Run vundofix again please, and post only the vundofix log.

VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:55:17 PM 6/25/2007
Listing files found while scanning....
No infected files were found.

I assume imsubtle is hijackthis? Cool. I'm not so subtle.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
==Okay, this time we'll point VundoFix at the remaing vundo pest: Start Vundofix,
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\system32\opnmlmm.dll

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll
O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll

Good.
==Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\svch0st.exe
C:\Program Files\Outerinfo\Outerinfo.exe
C:\Program Files\Internet Explorer\rteremejyfs.html

Folders to delete:
C:\Program Files\Outerinfo
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
==Did you carry out the last part of my first post to you re the desktop file?
Please post that log file, plus the new vundofix log and a fresh hijackthis log..

Avenger Log


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sabnfpwk
*******************
Script file located at: \??\C:\WINDOWS\gupbmjui.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\WINDOWS\system32\svch0st.exe not found!
Deletion of file C:\WINDOWS\system32\svch0st.exe failed!
Could not process line:
C:\WINDOWS\system32\svch0st.exe
Status: 0xc0000034

Could not open file C:\Program Files\Outerinfo\Outerinfo.exe for deletion
Deletion of file C:\Program Files\Outerinfo\Outerinfo.exe failed!
Could not process line:
C:\Program Files\Outerinfo\Outerinfo.exe
Status: 0xc000003a
File C:\Program Files\Internet Explorer\rteremejyfs.html deleted successfully.

Folder C:\Program Files\Outerinfo not found!
Deletion of folder C:\Program Files\Outerinfo failed!
Could not process line:
C:\Program Files\Outerinfo
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.


Hijack This Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:49:12 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\imsubtle.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html
--
End of file - 6296 bytes

VundoFix Log


VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 12:28:06 AM 6/26/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\opnmlmm.dll
C:\WINDOWS\system32\opnmlmm.dll Has been deleted!
Performing Repairs to the registry.
Done!



I did a scan before rclicking the white box, I misread your post and removed the 3 items it had. It restarted and deleted one of them, and then I right clicked the white box, and continued following your directions.



And if you meant:

Yes, I went to that folder and deleted it, which was quite simple.


One problem I encountered was fixing

O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll

I couldn't find it, the numbers went from 16 to 22 with nothing in between.

You're doing fine.
That O20? vundofix deleted its file.
Okay, couple more things to fix [incl one I missed putting in cos I was at the time wondering if it was a vundo file..]
Fix these and then restart your sys:

O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html

Do a scan and note if the second entry comes back. Let me know.
The last one - I do not know if this is something to do with the Beta version you are using or not, I would have thought it would not reappear if you deleted the file. Please check the file has not reappeared, and let me know.
Actually, it would not hurt to load this file into Vundofix as you did the previous one and let it look at it:
C:\WINDOWS\system32\bxvymww.dll -show mw the result.

I do not see any resident antivirus service in your sys. Please go into safe mode and run AVG AS -under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
And next, with Windows firewall activated at least, go to one of these sites and get an AV!! Now.
AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html
Done that? Now get a firewall, a real one, Zonealarm or Kerio.
And Spywareblaster.
JAVA Update:
==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.1 is current....