rundll32.exe being used against me...

[Mikromancer]

hey there, I have an interesting problem. had a suspicious popup the other day asking if i wanted to install something, i hit the little X in the corner, as you are wont to do. only it installs something anyway, and before i could even blink it was finished installing. avast cant even see it. now Rundll32.exe starts on startup, running a bogus dll from windows/system32  i tried to ice the little bugger, and it comes back with a different randomised name, I went to totalvirus, which scans using multiple scanners, on advice from tech support. and it came back with 60% of them saying vundo. so i went and got the latest vundofix. that didnt work either. tech support told me to come here...

i'm including my hijackthis log, there are a couple of things in there that i've killed with hijackthis, but always seem to come back. i'm running MBAM now, i had run it before, but i forgot to update it.

the two highlighted in red seem to be the same as the ones i've killed before.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:36 AM, on 2/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\DOCUME~1\Mikro\LOCALS~1\Temp\Rar$EX00.750\procexp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Mikro\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
-------------------------------------------------------------------------------------------
O2 - BHO: (no name) - {5F830104-ABA6-43C1-B906-25D80D3C640F} - C:\WINDOWS\system32\cbXRLDsS.dll (file missing)
-------------------------------------------------------------------------------------------
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {33ee91ed-8e6c-565b-6fb4-941f7e9e411d} - {d114e9e7-f149-4bf6-b565-c6e8de19ee33} - C:\WINDOWS\system32\ojachg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
-------------------------------------------------------------------------------------------------
O2 - BHO: (no name) - {DCBE3AE1-43B4-4E83-8945-894E0F64EF45} - C:\WINDOWS\system32\vtUlMETm.dll
-------------------------------------------------------------------------------------------------
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8AAB273-9465-4563-8BBB-ECFE3E3C86C3}: NameServer = 123.100.71.1,123.100.71.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5613 bytes


not sure what else i can post that would be of use,

thanks for any help that may come

[CharleyO]

***

An analysis of your HJT log shows the below:

A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.

C:\Documents and Settings\Mikro\Desktop\hijackthis\HijackThis.exe
[ Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! ]

O2 - BHO: (no name) - AutorunsDisabled - (no file)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {5F830104-ABA6-43C1-B906-25D80D3C640F} - C:\WINDOWS\system32\cbXRLDsS.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. Also, I found no information on this entry and is therefore suspicious.

O2 - BHO: {33ee91ed-8e6c-565b-6fb4-941f7e9e411d} - {d114e9e7-f149-4bf6-b565-c6e8de19ee33} - C:\WINDOWS\system32\ojachg.dll
Unknown application. I found no information.

O2 - BHO: (no name) - {DCBE3AE1-43B4-4E83-8945-894E0F64EF45} - C:\WINDOWS\system32\vtUlMETm.dll
Unknown application. I found no information.

O24 - Desktop Component 0: (no name) - (no file)
Very bad. Must be fixed.

Before you fixed these, I suggest that HJT this be downloaded into it's own folder (not on the desktop as it is now) so that HJT will create a backup. Then, checkmark the boxes beside the above entries and click the "Fix Checked" button.

[Mikromancer]

ok so the virus has been fixed with MBAM and HJT,

but

O24 - Desktop Component 0: (no name) - (no file)
Very bad. Must be fixed.


why is this bad and how do i fix it?

[Jtaylor83]

O2 - BHO: (no name) - {DCBE3AE1-43B4-4E83-8945-894E0F64EF45} - C:\WINDOWS\system32\vtUlMETm.dll

Possible Vundo.

O2 - BHO: {33ee91ed-8e6c-565b-6fb4-941f7e9e411d} - {d114e9e7-f149-4bf6-b565-c6e8de19ee33} - C:\WINDOWS\system32\ojachg.dll

Possible backdoor trojan/fake alert.

[CharleyO]

***

......  how do i fix it?

Before you fix these, I suggest that HJT this be downloaded into it's own folder (not on the desktop as it is now) so that HJT will create a backup. Then, checkmark the boxes beside the above entries and click the "Fix Checked" button.

***