missing rundll file

Question

DontknowIT 0 Light Poster

17 Years Ago

hey everyone i am new to the site and as the name suggest dont know much about computers so please if anyone have the time please help

I was dealing with a torjan horse generic6 with AVG and have deleted a file called efffge.dll. originally when the my pc was still infected by torjan horse the error message came up with a access denied and since AVG took care of it by deleting the file now windows always start with error message saying that the module is missing... It would be great if someone can tell me what its for and what program it belong to

Here is the Hijackthis notes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:59 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\General\Repair tool\hijack\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {2a5e79a8-fccf-43fc-b80f-99515372731e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\efffge.dll",forkonce
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186311373453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\mljjijj.dll
O20 - Winlogon Notify: lzextat - lzextat.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks for your time

windows-virus

3 Contributors
10 Replies
186 Views
1 Week Discussion Span
Latest Post 17 Years Ago Latest Post by gerbil

bestupid 0 Newbie Poster

17 Years Ago

U can try to restore your system to early time.

gerbil 216 Industrious Poster

17 Years Ago

t appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!

= dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log run in normal mode.

gerbil 216 Industrious Poster

17 Years Ago

..the combofix run in normal mode was fine. Delete C:\Qoobox.
Vundofix: this is a very important line in the instructions:
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!
Note that the scan found C:\WINDOWS\efffge.dll but made no attempt to delete it.
Pls rerun Vundofix, twice will not hurt; if it still makes no attempt we shall try something else. Hang on, let's try to cripple these first...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2a5e79a8-fccf-43fc-b80f-99515372731e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\mljjijj.dll
O20 - Winlogon Notify: lzextat - lzextat.dll (file missing)

Good, now try to delete c:\windows\system32\mljjijj.dll
-this may help: Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Okay, now run Vundofix.....

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

DontknowIT 0 Light Poster · Answer 1 · 2007-08-17T18:19:47+00:00

Thanks for your help gerbil

this is the vundofix log

VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 7:49:29 PM 8/17/2007

Listing files found while scanning....

C:\WINDOWS\efffge.dll
C:\WINDOWS\egfffe.ini

Beginning removal...

Attempting to delete C:\WINDOWS\egfffe.ini
C:\WINDOWS\egfffe.ini Has been deleted!

Performing Repairs to the registry.
Done!

this is the combofix log

ComboFix 07-08-14.4 - "Owner" 2007-08-17 20:04:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1684 [GMT 8:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\tmpE.tmp.exe
C:\WINDOWS\system32\dn5c8f77dc.dat

((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))

2007-08-17 20:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 19:49 <DIR> d-------- C:\VundoFix Backups
2007-08-17 02:42 <DIR> d-------- C:\Program Files\MSBuild
2007-08-17 02:40 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-17 02:40 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-17 02:39 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-17 02:39 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-17 02:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-17 02:38 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-17 02:36 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-08-17 02:35 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-17 02:35 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-17 02:35 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-17 02:08 <DIR> d-------- C:\Program Files\IObit
2007-08-13 19:16 <DIR> d-------- C:\WINDOWS\SpaceForce - Rogue Universe
2007-08-13 19:16 <DIR> d-------- C:\Program Files\DreamCatcher
2007-08-13 19:10 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2007-08-13 18:35 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-13 18:35 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-08-13 18:35 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-13 18:35 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-13 18:35 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-13 18:35 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-08-13 18:35 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-13 18:35 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-13 18:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-08-13 18:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2007-08-13 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-13 00:18 <DIR> d-------- C:\Program Files\Rockstar Games
2007-08-11 16:49 <DIR> d-------- C:\DOCUME~1\Owner\Contacts
2007-08-11 16:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-11 16:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-10 12:19 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-08-10 12:19 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-08-10 12:19 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-08-10 12:19 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-08-10 12:19 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-08-10 12:19 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-08-10 12:19 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-08-10 12:19 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-08-10 12:19 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-08-10 12:19 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-08-10 12:19 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-08-10 12:19 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-08-10 12:19 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-08-10 12:19 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-08-10 12:19 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-08-10 12:19 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-08-10 12:19 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-08-10 12:19 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-08-10 12:19 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-08-10 12:19 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-08-10 12:19 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-08-10 12:19 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-08-10 12:19 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-08-10 12:11 <DIR> d-------- C:\Program Files\CAPCOM
2007-08-07 21:34 <DIR> d--hs---- C:\RECYCLER
2007-08-07 14:09 <DIR> d-------- C:\WINDOWS\NV36723676.TMP
2007-08-07 14:08 <DIR> d-------- C:\NVIDIA
2007-08-07 14:00 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-08-07 14:00 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-08-07 14:00 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-08-07 14:00 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-08-07 14:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2007-08-07 14:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-08-07 14:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-08-07 14:00 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-08-07 14:00 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-08-07 14:00 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-08-07 14:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2007-08-07 14:00 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-08-07 12:50 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-07 02:08 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-07 01:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-05 22:14 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-05 22:14 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-05 22:14 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-05 22:14 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-05 22:14 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-05 22:14 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-05 21:24 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-08-05 21:17 <DIR> d-------- C:\Program Files\DeepSilver
2007-08-05 20:36 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-08-05 20:19 <DIR> d-------- C:\Program Files\uTorrent
2007-08-05 20:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-08-05 19:48 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-05 19:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-05 18:58 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 18:56 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-05 18:56 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-05 18:53 <DIR> d--hs---- C:\DOCUME~1\Owner\UserData
2007-08-05 18:43 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-05 18:43 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-05 18:41 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-05 12:41 <DIR> d-------- C:\Program Files\Activision
2007-08-04 20:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-08-04 19:57 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-04 19:57 <DIR> d-------- C:\WINDOWS\NV936932.TMP
2007-08-04 07:28 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-04 07:27 74,240 --a------ C:\WINDOWS\system32\usbui.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 16:09 2378 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-08-06 16:08 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-19 14:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-27 22:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 22:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 22:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 22:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 22:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 22:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 22:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 22:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 22:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 22:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 22:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 22:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 22:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 22:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 22:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 22:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 22:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 22:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 22:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 22:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 16:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 16:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 15:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 14:08 1104896 --a--c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-26 14:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 21:31 282112 --a--c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-19 21:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 18:23 1033216 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 18:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-17 19:28 549376 --a--c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 19:28 549376 --a------ C:\WINDOWS\system32\oleaut32.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a5e79a8-fccf-43fc-b80f-99515372731e}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 11:12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 02:27]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 06:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll,NvStartup" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzextat]
lzextat.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\mljjijj.dll

Contents of the 'Scheduled Tasks' folder
2007-08-16 16:01:48 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 01:01:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 02:01:00 C:\WINDOWS\Tasks\At11.job
2007-08-15 03:01:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 04:01:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 05:01:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 06:01:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 07:01:48 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-17 09:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-17 10:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 17:01:48 C:\WINDOWS\Tasks\At2.job
2007-08-17 11:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 12:01:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 13:01:00 C:\WINDOWS\Tasks\At22.job
2007-08-16 14:01:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 15:01:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 18:01:44 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 19:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 20:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-16 21:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 22:01:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\8T3K0Av2.exe
2007-08-15 23:01:00 C:\WINDOWS\Tasks\At8.job
2007-08-16 00:01:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\8T3K0Av2.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 20:05:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-17 20:05:28
C:\ComboFix-quarantined-files.txt ... 2007-08-17 20:05

--- E O F ---

there is also a combofix - quarantined - file

2007-08-07 01:43      124774    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpE.tmp.exe.vir
2007-08-08 11:28      110694    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dn5c8f77dc.dat.vir


Folder PATH listing
Volume serial number is 5C8F-77DC
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---Owner
    |   |       \---APPLIC~1
    |   |               tmpE.tmp.exe.vir
    |   |               
    |   \---WINDOWS
    |       \---system32
    |               dn5c8f77dc.dat.vir
    |               
    \---Registry_backups

and this is the hijackthis notes after running the fixes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:56 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\General\Repair tool\hijack\imabunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2a5e79a8-fccf-43fc-b80f-99515372731e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186311373453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\mljjijj.dll
O20 - Winlogon Notify: lzextat - lzextat.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

thanks again gerbil

DontknowIT 0 Light Poster · Answer 2 · 2007-08-17T18:21:59+00:00

also i wondered if combofix needs to be ran in safe mode because i ran it in normal mode after restarting

DontknowIT 0 Light Poster · Answer 3 · 2007-08-20T20:28:21+00:00

There is something i dont understand... the efffge.dll is no longer affecting startup of the system.. also now on start up windows constantly tell me that there are messages that are unread but anyway that something else i will get back to you as soon i have time to try out the your instructions above

DontknowIT 0 Light Poster · Answer 4 · 2007-08-22T22:47:44+00:00

I have done as you have asked and the vundofix doesnt seem to have came up with anything different anyway here is the log for vundofix

VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 12:25:13 AM 8/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 12:36:17 AM 8/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 12:37:10 AM 8/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

and here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:08 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\General\Repair tool\hijack\imabunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186311373453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

gerbil 216 Industrious Poster · Answer 5 · 2007-08-23T07:01:58+00:00

That looks clean. I don't know what happened to efffge.dll; I think we may assume that Vundofix removed it. Vundofix does occasionally appear to get a little upset by its task, but it does the job nevertheless.
I am afraid that the unread messages part is invisible to me - something you configured, perhaps? Or is it a result of malware, an ad?
If so...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

DontknowIT 0 Light Poster · Answer 6 · 2007-08-23T18:02:20+00:00

i have checked my system using the cleaners that you have posted and here is the log from AVG anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:45:39 PM 8/23/2007

+ Scan result:

Nothing found.

::Report end

there nothing that could have effected my system and yet the system is still have the unread message issue, without the messenger being logged on.

gerbil 216 Industrious Poster · Answer 7 · 2007-08-24T07:02:57+00:00

Mmm... I'm afraid I cannot help with the MSN messenger issue- I disabled mine and am totally unfamiliar with it. I imagine it has a message cache somewhere under your user settings [in docs n setts]. I am sure there would be config settings also to determine whether it autostarts or prompts you about uread msgs in the cache.
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
-this reg entry starts it at Windows start after you log in.