Possibly Vundo?

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please uninstall the following thru add/remove programs:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_06
Viewpoint Media Player
Reboot your computer and install:
Java Runtime 6

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {58FF7395-B48F-41CB-A20C-2FFA2A049EB2} - C:\WINDOWS\system32\nnnkjgd.dll
O2 - BHO: (no name) - {C9B7B2D6-FB6B-4EF7-A507-462C7380C6B3} - C:\WINDOWS\system32\rqomn.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\wveyyrfb.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpem.dll,startup
O20 - Winlogon Notify: nnnkjgd - C:\WINDOWS\SYSTEM32\nnnkjgd.dll G
O20 - Winlogon Notify: rqomn - C:\WINDOWS\system32\rqomn.dll
O20 - Winlogon Notify: wineyx32 - C:\WINDOWS\SYSTEM32\wineyx32.dll

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\nnnkjgd.dll
C:\WINDOWS\system32\ljjhggh.dll
C:\WINDOWS\system32\cbxvsss.dll
C:\WINDOWS\system32\wineyx32.dll
C:\WINDOWS\system32\wveyyrfb.dll
C:\WINDOWS\system32\nmoqr.ini
C:\WINDOWS\system32\rqomn.dll
C:\WINDOWS\system32\drvpem.dll

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click the unregister .dll's. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT
* Vundo log

Be sure to tell us how things are running.

 

Try to do all the rest......we will kill the messenger later, if need be.

 

Uninstall Counterspy, as we are done with it.

 

Download and run Prevx1

Attach the log as well as:
GetRun
ShowNew
HJT

 

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {58FF7395-B48F-41CB-A20C-2FFA2A049EB2} - (no file)
O2 - BHO: (no name) - {B8202A18-F606-4F74-B1C4-E9E659644585} - (no file)
02 - BHO: (no name) - {C12EA335-F195-4455-B10E-ED72EDF251CF} - C:\WINDOWS\system32\rqomn.dll (file missing)
02 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\gldjrhbe.dll
O20 - Winlogon Notify: hgdee - C:\WINDOWS\
O20 - Winlogon Notify: nnnkjgd - C:\WINDOWS\
O20 - Winlogon Notify: wineyx32 - C:\WINDOWS\

After clicking Fix, exit HJT.

Now Download this file - ComboFix
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Attach the logs for:
* GetRunKey
* ShowNew
* HJT

 

Please do the rest and attach the logs.

 

Go to start / run and type "cleanmgr" without quotes and run the cleaner.

Let me know how things are working.

 

First, to check whether the Add/Remove applet is alive and well, go to Start>Run, type in "appwiz.cpl" (without the quotes) and click OK (or press Enter).

If the Add/Remove applet starts, then it's a problem with the shortcuts. The easiest and most immediate way to fix it is to go to C:\Windows\System32 folder, find the appwiz.cpl file and put a shortcut to it somewhere handy.

If it doesn't start, you can try replacing it with a new copy through System File Checker. Rather than running the whole SFC routine, you can go to Start>Run, type in "msconfig" (without the quotes), click OK and on the General tab, click the "Expand File" button. Tell it you want to extract appwiz.cpl, tell it to extract it from either C:\I386 or your XP CD (which you'll need to put in the CD drive) and tell it to extract it to C:\Windows\System32.

 

Have you run Spybot Search & Destroy in recent times? Check its backups. It had been known to remove the rundll32.exe file in conjunction with SmiFraud-C infections. If this is what happened, you can just restore it from the backup.

 

You can try replacing it with a new copy through System File Checker. Rather than running the whole SFC routine, you can go to Start>Run, type in "msconfig" (without the quotes), click OK and on the General tab, click the "Expand File" button. Tell it you want to extract appwiz.cpl, tell it to extract it from either C:\I386 or your XP CD (which you'll need to put in the CD drive) and tell it to extract it to C:\Windows\System32.

And it is i386 not el386.

 

You opened msconfig, hit the tab at the bottom of the general page for expand file, got a popup box to put in the restore file, then restore from ...save in ...you did all that?
Did you browse for the file? Was it found in a backup i386 folder. Do you have a backup partition? Did you browse for it on the restore cd's?

 

If these are the only problems ....no longer having malware problems ...I would suggest you post in the software section.

However, if you can borrow an xp cd (your version ..home or pro) then go to start / run / and type sfc /scannow and have the disc ready.

Note the space between the c and the /!

 

There ya go .....You may uninstall any programs we had you download.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

No problem ....safe surfing.