I keep on getting bad image messages such as c:\windows\system32\jkkjh.dll & c:\windows\system32\eebqbvln.dll among many others. Also, I just tried to do system recovery and a blue screen popped up saying Session3_initialzation_failed and will not let me do recovery. Also, I ran spyware doctor and viruses are still showing up. I'm not sure how to go about this but any help would be greatly appreciated.

Hi,
Your system is infected badly with WinFixer and VirtuMonde variants.!
Lets take a start to remove them.

Download the "HijackThis" Installer from this link:

http://www.trendsecure.com/portal/e...

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Post Hijackthis Log in your next reply.

Thanks for the quick response. I have the following viruses: Adware.Vundo, Trojan-Downloader.Agent.BL , Trojan-PWS.OnlineGames.ES, GEN, TEA, QPA; Trojan.Vaklik.ot, Trojan-Spy.Pophot.Wx, Trojan.Virtumode, Trojan.Agent!sd5 and Virus.Win32.Trats.

Here is my scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:34 PM, on 3/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\WINDOWS\System32\inf\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Fonts\syn00-03-8A-00-00-15\system\smss.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\System32\khfgfgh.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8B37BD75-E72F-4B26-9DB7-88A2FE95E391} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\syn00-03-8A-00-00-15\system\smss.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [e89cd677] rundll32.exe "C:\WINDOWS\System32\sxmejvux.dll",b
O4 - HKLM\..\Run: [inudhya] C:\WINDOWS\Fonts\syn00-03-8A-00-00-15\system\1a .exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] C:\WINDOWS\System32\inf\svchost.exe C:\WINDOWS\System32\lwisys16_071126.dll start
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: office.lnk = C:\WINDOWS\system\sslxpes071126.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/pl...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O20 - Winlogon Notify: khfgfgh - C:\WINDOWS\SYSTEM32\khfgfgh.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7221 bytes

Please run HijackThis again! and click "Scan." Place checks next to the following entries:

O4 - HKLM\..\Run: [TBMonEx] C:\WINDOWS\Fonts\syn00-03-8A-00-00-15\system\smss.exe
O4 - HKLM\..\Run: [e89cd677] rundll32.exe "C:\WINDOWS\System32\sxmejvux.dll",b
O4 - HKLM\..\Run: [inudhya] C:\WINDOWS\Fonts\syn00-03-8A-00-00-15\system\1a .exe
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] C:\WINDOWS\System32\inf\svchost.exe C:\WINDOWS\System32\lwisys16_071126.dll
O4 - Global Startup: office.lnk = C:\WINDOWS\system\sslxpes071126.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Download Combofix by sUBs and save to your desktop.

(If you have previously downloaded ComboFix,please delete that version now.)

download link HERE:
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...

Note
It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

*Do Safe Computing*

I saved combofix.exe onto my desktop and when i double click it and i see the green time bar but nothing after that...

Delete it from your desktop, download and try again.
If same things happen then try this into safe mode.
Let me know....

*Do Safe Computing*

I re-downloaded it and now it's saying DATA Error and them the date. A quick blue screen pops up then it says Data Error.

Open Task Manager and End these processes:
(End process tree)

smss.exe
1a .exe
sslxpes071126.exe

Now open MSConfig by typing it in Run box.

From Startup tab "Disable All" process from startup and restart your computer.

Delete combofix from your desktop, download and try again.

If same problem then do followings:

you need to change the name of Combofix.
This cannot be done with the existing version, but needs to be done at the point of saving the download, see below:
Please delete your existing version from the Desktop.

During the download, rename Combofix to Combo-Fix.
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it.

Let me know....

*Do Safe Computing*

the only process i see is smss.exe and it will not let me end this process??? I'm stuck!!!!!

You need to change the name of Combofix.
This cannot be done with the existing version, but needs to be done at the point of saving the download, see below:
Please delete your existing version from the Desktop.

During the download, rename Combofix to Combo-Fix.
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it.

Let me know....

*Do Safe Computing*