mljgh.dll won't go away

gnip gnop · 03-30-2008, 07:20 PM

I got some kind of infection on Friday, 3/28, and now my computer is running terribly slow and keeps trying to access the Internet. I have my computer disconnected from the network and am writing this from a coworker's computer.

I used Process Explorer to see what was being run by rundll32.exe, and one dll was mljgh.dll. Everytime I tried to stop it, it restarted itself.

I used msconfig to try to turn off all of the startup dll loadings. I noticed that a second startup of rundll32.exe loading with dpnxkbgb.dll was created.

I ran DSS once on Friday, and got the following listing. I am attaching the extra.txt file to this thread.

When I ran DSS again today, I got only the main.txt file, with no extra.txt file, so I wasn't sure if it was working properly. I am posting the second version of main.txt at the end of this posting.

Thanks for any help.
gnip gnop

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the first run of DSS
It corresponds to the extra.txt file that is attached.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deckard's System Scanner v20071014.68
Run by Dan on 2008-03-28 13:47:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore -----------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
91: 2008-03-28 17:47:52 UTC - RP1451 - Deckard's System Scanner Restore Point
90: 2008-03-28 02:49:31 UTC - RP1450 - Last known good configuration
89: 2008-03-27 20:13:37 UTC - RP1449 - System Checkpoint
88: 2008-03-26 17:02:09 UTC - RP1448 - System Checkpoint
87: 2008-03-25 16:29:56 UTC - RP1447 - System Checkpoint

-- First Restore Point --
1: 2007-12-29 16:47:18 UTC - RP1361 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-28 13:58:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Dan\Desktop\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx?
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19CD1086-CC34-478E-B428-B1222A3CD267} - C:\WINDOWS\SYSTEM32\mljgh.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\SYSTEM32\efcdbcb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {1f78eb00-006f-a488-ed54-6b409bb53808} - {80835bb9-04b6-45de-884a-f60000be87f1} - C:\WINDOWS\SYSTEM32\agjsmqab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMb755e6d2] Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s
O4 - HKLM\..\Run: [b466d54e] rundll32.exe "C:\WINDOWS\system32\pjeqgrbw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: efcdbcb - C:\WINDOWS\system32\efcdbcb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\SYSTEM32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6912 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADLTScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Canon Driver Information Assist Service - "c:\program files\canon\dias\cnxdias.exe" <Not Verified; CANON INC.; Driver Information Assist Service>

S3 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
S3 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
S4 Iomega Activity Disk2 - ""

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-27 18:45:04 256 --a------ C:\WINDOWS\Tasks\Shutdown Computer.job

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-28 10:58:15 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
2008-03-28 10:55:15 89152 --a------ C:\WINDOWS\system32\pjeqgrbw.dll
2008-03-28 10:52:38 92736 --a------ C:\WINDOWS\system32\dpnxkbgb.dll
2008-03-27 22:49:14 305108 --ahs---- C:\WINDOWS\system32\hgjlm.ini2
2008-03-27 22:49:09 273920 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-27 21:49:08 273920 --a------ C:\WINDOWS\system32\geedc.dll
2008-03-27 20:49:07 273920 --a------ C:\WINDOWS\system32\mljge.dll
2008-03-27 19:49:06 273920 --a------ C:\WINDOWS\system32\vtsqn.dll
2008-03-27 18:49:05 273920 --a------ C:\WINDOWS\system32\vturo.dll
2008-03-27 17:49:04 273920 --a------ C:\WINDOWS\system32\ddccc.dll
2008-03-27 16:49:03 273920 --a------ C:\WINDOWS\system32\pmnll.dll
2008-03-27 15:49:04 273920 --a------ C:\WINDOWS\system32\gebyy.dll
2008-03-27 14:49:01 273920 --a------ C:\WINDOWS\system32\awtsp.dll
2008-03-27 13:49:07 273920 --a------ C:\WINDOWS\system32\pmnnk.dll
2008-03-27 13:12:40 0 d-------- C:\WINDOWS\pss
2008-03-27 12:46:35 273920 --a------ C:\WINDOWS\system32\awtqq.dll
2008-03-27 11:42:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-27 11:36:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-27 11:32:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-27 11:32:34 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-27 11:32:33 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-27 11:21:30 38400 --a------ C:\WINDOWS\system32\opnooli.dll
2008-03-27 11:18:30 32764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-27 11:18:09 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
2008-03-21 16:13:13 1204224 --a------ C:\WINDOWS\system32\spr32d70.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-03-21 16:12:58 0 d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17:50 0 d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17:50 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files\Skype

-- Find3M Report ---------------------------------------------------------------

2008-03-28 09:51:37 0 d-------- C:\Program Files\LogMeIn
2008-03-27 11:25:24 0 d-------- C:\Documents and Settings\Dan\Application Data\Skype
2008-03-21 16:40:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 10:17:15 0 d-------- C:\Program Files\Skype
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files
2008-02-20 10:29:14 0 d-------- C:\Documents and Settings\Dan\Application Data\Adobe
2008-02-13 10:41:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 11:58:46 0 d-------- C:\Program Files\MSECache
2008-02-04 10:37:21 0 d-------- C:\Program Files\Bassline Software
2008-01-11 14:07:10 82765382 --a------ C:\WINDOWS\system32\SNAGIT6

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19CD1086-CC34-478E-B428-B1222A3CD267}]
03/27/2008 10:49 PM 273920 --a------ C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
03/27/2008 11:18 AM 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80835bb9-04b6-45de-884a-f60000be87f1}]
03/28/2008 10:58 AM 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 01:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 01:07 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 08:47 PM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/29/2007 05:29 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 AM]
"BMb755e6d2"="C:\WINDOWS\system32\dpnxkbgb.dll" [03/28/2008 10:52 AM]
"b466d54e"="C:\WINDOWS\system32\pjeqgrbw.dll" [03/28/2008 10:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\efcdbcb.dll [03/27/2008 11:18 AM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll 03/27/2008 11:18 AM 38400 C:\WINDOWS\SYSTEM32\efcdbcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/21/2007 04:00 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
"C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bassline WinPopUp]
C:\Program Files\Bassline Software\Popup\BslPopup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
"C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
"C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

*Newly Created Service* - PROCEXP111

-- End of Deckard's System Scanner: finished at 2008-03-28 14:01:01 ------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is today's run of DSS
No extra.txt file was created with this one.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deckard's System Scanner v20071014.68
Run by Other Taitemite on 2008-03-30 21:31:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-30 21:33:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ESET\nod32kui.exe
C:\Documents and Settings\Dan\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\SYSTEM32\efcdbcb.dll
O2 - BHO: (no name) - {41CBC04E-CDDF-4530-AD84-56D47B481919} - C:\WINDOWS\SYSTEM32\mljgh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {1f78eb00-006f-a488-ed54-6b409bb53808} - {80835bb9-04b6-45de-884a-f60000be87f1} - C:\WINDOWS\SYSTEM32\agjsmqab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMb755e6d2] Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: efcdbcb - C:\WINDOWS\system32\efcdbcb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\SYSTEM32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6054 bytes

-- Files created between 2008-02-29 and 2008-03-30 -----------------------------

2008-03-30 21:17:55 0 d-------- C:\Documents and Settings\Other Taitemite\Application Data\Adobe
2008-03-30 20:59:21 0 d-------- C:\327882R2FWJFW
2008-03-30 20:17:33 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-03-30 20:17:32 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-03-28 10:58:15 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
2008-03-28 10:55:15 89152 --a------ C:\WINDOWS\system32\pjeqgrbw.dll
2008-03-28 10:52:38 92736 --a------ C:\WINDOWS\system32\dpnxkbgb.dll
2008-03-27 22:49:14 278665 --ahs---- C:\WINDOWS\system32\hgjlm.ini2
2008-03-27 22:49:09 273920 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-27 21:49:08 273920 --a------ C:\WINDOWS\system32\geedc.dll
2008-03-27 20:49:07 273920 --a------ C:\WINDOWS\system32\mljge.dll
2008-03-27 19:49:06 273920 --a------ C:\WINDOWS\system32\vtsqn.dll
2008-03-27 18:49:05 273920 --a------ C:\WINDOWS\system32\vturo.dll
2008-03-27 17:49:04 273920 --a------ C:\WINDOWS\system32\ddccc.dll
2008-03-27 16:49:03 273920 --a------ C:\WINDOWS\system32\pmnll.dll
2008-03-27 15:49:04 273920 --a------ C:\WINDOWS\system32\gebyy.dll
2008-03-27 14:49:01 273920 --a------ C:\WINDOWS\system32\awtsp.dll
2008-03-27 13:49:07 273920 --a------ C:\WINDOWS\system32\pmnnk.dll
2008-03-27 13:12:40 0 d-------- C:\WINDOWS\pss
2008-03-27 12:46:35 273920 --a------ C:\WINDOWS\system32\awtqq.dll
2008-03-27 11:42:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-27 11:36:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-27 11:32:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-27 11:32:34 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-27 11:32:33 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-27 11:21:30 38400 --a------ C:\WINDOWS\system32\opnooli.dll
2008-03-27 11:18:30 32764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-27 11:18:09 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
2008-03-21 16:13:13 1204224 --a------ C:\WINDOWS\system32\spr32d70.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-03-21 16:12:58 0 d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17:50 0 d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17:50 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files\Skype

-- Find3M Report ---------------------------------------------------------------

2008-03-30 00:04:21 0 d-------- C:\Program Files\LogMeIn
2008-03-21 16:40:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 10:17:15 0 d-------- C:\Program Files\Skype
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files
2008-02-13 10:41:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 11:58:46 0 d-------- C:\Program Files\MSECache
2008-02-04 10:37:21 0 d-------- C:\Program Files\Bassline Software
2008-01-11 14:07:10 82765382 --a------ C:\WINDOWS\system32\SNAGIT6

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
03/27/2008 11:18 AM 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41CBC04E-CDDF-4530-AD84-56D47B481919}]
03/27/2008 10:49 PM 273920 --a------ C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80835bb9-04b6-45de-884a-f60000be87f1}]
03/28/2008 10:58 AM 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 08:47 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/29/2007 05:29 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 AM]
"BMb755e6d2"="C:\WINDOWS\system32\dpnxkbgb.dll" [03/28/2008 10:52 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Other Taitemite\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\efcdbcb.dll [03/27/2008 11:18 AM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll 03/27/2008 11:18 AM 38400 C:\WINDOWS\SYSTEM32\efcdbcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/21/2007 04:00 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
"C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b466d54e]
rundll32.exe "C:\WINDOWS\system32\pjeqgrbw.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bassline WinPopUp]
C:\Program Files\Bassline Software\Popup\BslPopup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb755e6d2]
Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
"C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
"C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN

-- End of Deckard's System Scanner: finished at 2008-03-30 21:36:02 ------------

Aaflac · 04-03-2008, 08:11 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every
inquiry.

Please download ComboFix
Save to the Desktop <<< Important!!

Information on the program - A Guide on using ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix
It includes the opportunity to install the Windows Recovery Console.

Before running ComboFix, close or disable all AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix.

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

gnip gnop · 04-04-2008, 08:09 AM

Hi Aaflac,

I understand that you're overwhelmed on this forum. Thanks for the work that you do.

Because this was my work computer, I had to get it back up and running, so I actually had already followed an earlier post on using Combofix. Here is the output from that run, followed by my hijackthis log. Things seem to be running much better now.

gnip gnop

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-03-27.1 - 2008-04-02 17:09:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00]
Running from: c:\Documents and Settings\Dan\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb755e6d2.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agjsmqab.dll
C:\WINDOWS\system32\bgevggvs.dll
C:\WINDOWS\system32\bkfidyia.dll
C:\WINDOWS\SYSTEM32\cbadd.ini
C:\WINDOWS\SYSTEM32\cbadd.ini2
C:\WINDOWS\system32\dpnxkbgb.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcdbcb.dll
C:\WINDOWS\SYSTEM32\hgjlm.ini
C:\WINDOWS\SYSTEM32\hgjlm.ini2
C:\WINDOWS\system32\opnooli.dll
C:\WINDOWS\SYSTEM32\rekucgvs.ini
C:\WINDOWS\system32\svgcuker.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 15:24 . 2008-04-02 16:51 <DIR> d-------- C:\VundoFix Backups
2008-04-01 15:23 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 11:07 . 2008-04-01 11:07 <DIR> d-------- C:\Program Files\MSBuild
2008-04-01 11:00 . 2008-04-01 11:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-04-01 10:59 . 2008-04-01 10:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-01 10:57 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-04-01 10:56 . 2008-04-01 10:56 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-01 10:16 . 2008-04-01 10:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 22:10 . 2008-03-31 23:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-31 22:10 . 2008-03-31 22:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-31 22:10 . 2008-03-31 22:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-31 22:10 . 2008-03-31 22:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-31 14:48 . 2008-03-31 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 14:46 . 2008-04-02 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 14:46 . 2008-03-31 14:46 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-03-31 13:13 . 2008-03-31 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-31 13:02 . 2008-03-31 13:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Grisoft
2008-03-31 13:00 . 2008-03-31 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-31 13:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-30 22:32 . 2008-03-30 22:32 <DIR> d-------- C:\Program Files\StartupList
2008-03-30 22:31 . 2008-03-30 22:31 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-03-28 13:47 . 2008-03-28 13:47 <DIR> d-------- C:\Deckard
2008-03-28 12:53 . 2008-02-27 13:05 3,654,696 --a------ C:\procexp.exe
2008-03-28 12:53 . 2007-08-31 05:36 72,138 --a------ C:\procexp.chm
2008-03-27 11:36 . 2008-03-31 10:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36 . 2008-03-31 14:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36 . 2008-03-27 11:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:36 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-27 11:36 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-27 11:36 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-27 11:36 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-27 11:32 . 2004-04-23 22:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32 . 2004-04-23 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-21 16:41 . 1999-03-02 05:01 252,699 --a------ C:\WINDOWS\SYSTEM32\OLCH2D-U.HLP
2008-03-21 16:41 . 1999-03-02 05:01 124 --a------ C:\WINDOWS\SYSTEM32\olch2d-u.cnt
2008-03-21 16:13 . 1999-03-02 06:01 1,676,408 --a------ C:\WINDOWS\SYSTEM32\olch2x32.ocx
2008-03-21 16:13 . 2005-09-08 16:26 1,204,224 --a------ C:\WINDOWS\SYSTEM32\spr32d70.dll
2008-03-21 16:12 . 2008-03-21 16:41 <DIR> d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17 . 2008-03-04 10:17 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-04 10:17 . 2008-03-26 16:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17 . 2008-03-04 10:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-03 12:31 . 2008-03-06 15:49 224 --a------ C:\WINDOWS\hpbafd.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 13:36 --------- d-----w C:\Program Files\LogMeIn
2008-04-01 15:18 --------- d-----w C:\Program Files\ESET
2008-04-01 03:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 03:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-31 18:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 15:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\Skype
2008-03-21 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 14:17 --------- d-----w C:\Program Files\Skype
2008-02-13 14:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:58 --------- d-----w C:\Program Files\MSECache
2008-02-04 14:37 --------- d-----w C:\Program Files\Bassline Software
2002-08-15 16:54 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe
2007-05-22 23:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 17:29 949376]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-07 12:16 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 16:00 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bassline Software\\Popup\\BslPopup.exe"=
"C:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 22:45:01 C:\WINDOWS\Tasks\Shutdown Computer.job"
- C:\WINDOWS\SYSTEM32\SHUTDOWN.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 17:19:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-02 17:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 21:24:22
Pre-Run: 64,498,368,512 bytes free
Post-Run: 64,420,503,552 bytes free
.
2008-04-01 21:35:05 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:39 AM, on 04/04/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ADVANCE INFORMATION TECHNOLOGY\Taiters\Taiters.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5327 bytes

Aaflac · 04-05-2008, 07:54 PM

Please run HijackThis, Scan
Check box for:

O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing)

Select: Fix checked

~~~~
Download ATF Cleaner

Double-click ATF-Cleaner.exe to run the program
Click Select All
Click: Empty Selected
Click Exit to close the ATF Cleaner program.

~~~~
Next, download Malwarebytes' Anti-Malware (MBAM)
Save the program to the Desktop
Close all Windows, including this one. (Print the instructions first)

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts

If an update is found, MBAM will download and install the latest.
Click OK

At the main program window

Make sure the following is checked: Perform Quick Scan
Click: Scan (The scan may take some time to finish, so please be patient.)
When the scan completes, a message box appears as shown in the image below:
Click OK

At the main Scanner screen:

Click on: Show Results
A screen displaying the malware found shows as seen in the image below. (Results may be different.)
Make sure everything found is checked, and click: Remove Selected
When the disinfection is complete, you may be prompted to Restart. Please do so.
When MBAM finishes removing the malware, a log opens in Notepad
The log is automatically saved and can be viewed by clicking the Logs tab.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the MBAM report, and a new HijackThis log in your reply.

gnip gnop · 04-07-2008, 12:05 PM

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Quick Scan
Objects scanned: 30366
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:33 PM, on 04/07/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4993 bytes

Aaflac · 04-07-2008, 05:43 PM

The HijackThis log appears clean.

Are you still having malware problems?

gnip gnop · 04-10-2008, 11:02 AM

I'm no longer having any problems that I am aware of. Thanks for your help!

04-03-2008, 08:11 PM	#2 (permalink)
Aaflac Analyst/Security Team Hen Join Date: Mar 2007 Posts: 899 OS: XP and Vista	Re: mljgh.dll won't go away Apologies for the delay in responding. The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry. Please download ComboFix Save to the Desktop <<< Important!! Information on the program - A Guide on using ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix It includes the opportunity to install the Windows Recovery Console. Before running ComboFix, close or disable all AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix. Double-click combofix.exe to run the program Follow the prompts. (Don't click on the window while the program is running, it may cause your system to stall.) When finished, a log, ComboFix.txt, is produced. ~~~~ Run HijackThis once again to obtain a new log. ~~~~ Please post the ComboFix.txt, and a new HijackThis log in your reply. __________________

04-04-2008, 08:09 AM	#3 (permalink)
gnip gnop Registered User Join Date: Mar 2008 Posts: 4 OS: xp home sp2	Re: mljgh.dll won't go away Hi Aaflac, I understand that you're overwhelmed on this forum. Thanks for the work that you do. Because this was my work computer, I had to get it back up and running, so I actually had already followed an earlier post on using Combofix. Here is the output from that run, followed by my hijackthis log. Things seem to be running much better now. gnip gnop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ComboFix 08-03-27.1 - 2008-04-02 17:09:21.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256 [GMT -4:00] Running from: c:\Documents and Settings\Dan\Desktop\combofix.exe Command switches used :: /killall * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMb755e6d2.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\agjsmqab.dll C:\WINDOWS\system32\bgevggvs.dll C:\WINDOWS\system32\bkfidyia.dll C:\WINDOWS\SYSTEM32\cbadd.ini C:\WINDOWS\SYSTEM32\cbadd.ini2 C:\WINDOWS\system32\dpnxkbgb.dll C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\efcdbcb.dll C:\WINDOWS\SYSTEM32\hgjlm.ini C:\WINDOWS\SYSTEM32\hgjlm.ini2 C:\WINDOWS\system32\opnooli.dll C:\WINDOWS\SYSTEM32\rekucgvs.ini C:\WINDOWS\system32\svgcuker.dll . ((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 ))))))))))))))))))))))))))))))) . 2008-04-02 15:24 . 2008-04-02 16:51 <DIR> d-------- C:\VundoFix Backups 2008-04-01 15:23 . 2005-10-19 08:59 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll 2008-04-01 11:07 . 2008-04-01 11:07 <DIR> d-------- C:\Program Files\MSBuild 2008-04-01 11:00 . 2008-04-01 11:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer 2008-04-01 10:59 . 2008-04-01 10:59 <DIR> d-------- C:\Program Files\Reference Assemblies 2008-04-01 10:57 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll 2008-04-01 10:56 . 2008-04-01 10:56 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-04-01 10:16 . 2008-04-01 10:16 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-31 22:10 . 2008-03-31 23:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-03-31 22:10 . 2008-03-31 22:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-03-31 22:10 . 2008-03-31 22:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-03-31 22:10 . 2008-03-31 22:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-03-31 14:48 . 2008-03-31 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-03-31 14:46 . 2008-04-02 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-03-31 14:46 . 2008-03-31 14:46 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com 2008-03-31 13:13 . 2008-03-31 13:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-03-31 13:02 . 2008-03-31 13:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Grisoft 2008-03-31 13:00 . 2008-03-31 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-31 13:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-30 22:32 . 2008-03-30 22:32 <DIR> d-------- C:\Program Files\StartupList 2008-03-30 22:31 . 2008-03-30 22:31 <DIR> d-------- C:\Program Files\ProcessExplorer 2008-03-28 13:47 . 2008-03-28 13:47 <DIR> d-------- C:\Deckard 2008-03-28 12:53 . 2008-02-27 13:05 3,654,696 --a------ C:\procexp.exe 2008-03-28 12:53 . 2007-08-31 05:36 72,138 --a------ C:\procexp.chm 2008-03-27 11:36 . 2008-03-31 10:21 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-27 11:36 . 2008-03-31 14:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-27 11:36 . 2008-03-27 11:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-03-27 11:36 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-03-27 11:36 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-03-27 11:36 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-03-27 11:36 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-03-27 11:32 . 2004-04-23 22:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-03-27 11:32 . 2004-04-23 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-03-21 16:41 . 1999-03-02 05:01 252,699 --a------ C:\WINDOWS\SYSTEM32\OLCH2D-U.HLP 2008-03-21 16:41 . 1999-03-02 05:01 124 --a------ C:\WINDOWS\SYSTEM32\olch2d-u.cnt 2008-03-21 16:13 . 1999-03-02 06:01 1,676,408 --a------ C:\WINDOWS\SYSTEM32\olch2x32.ocx 2008-03-21 16:13 . 2005-09-08 16:26 1,204,224 --a------ C:\WINDOWS\SYSTEM32\spr32d70.dll 2008-03-21 16:12 . 2008-03-21 16:41 <DIR> d-------- C:\Program Files\eQUEST 3-6 2008-03-04 10:17 . 2008-03-04 10:17 <DIR> d-------- C:\Program Files\Common Files\Skype 2008-03-04 10:17 . 2008-03-26 16:00 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\skypePM 2008-03-04 10:17 . 2008-03-04 10:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-03 12:31 . 2008-03-06 15:49 224 --a------ C:\WINDOWS\hpbafd.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-02 13:36 --------- d-----w C:\Program Files\LogMeIn 2008-04-01 15:18 --------- d-----w C:\Program Files\ESET 2008-04-01 03:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-04-01 03:16 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2008-03-31 18:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-27 15:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\Skype 2008-03-21 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-04 14:17 --------- d-----w C:\Program Files\Skype 2008-02-13 14:41 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-07 15:58 --------- d-----w C:\Program Files\MSECache 2008-02-04 14:37 --------- d-----w C:\Program Files\Bassline Software 2002-08-15 16:54 3,198,976 ----a-w C:\Program Files\ViewSonicregistration.exe 2007-05-22 23:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-05-22 23:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll 2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll 2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll 2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll 2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll 2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll 2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll 2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 17:29 949376] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-07 12:16 155648] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ] "ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb] efcdbcb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 2007-11-21 16:00 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bassline Software\\Popup\\BslPopup.exe"= "C:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55] . Contents of the 'Scheduled Tasks' folder "2008-03-31 22:45:01 C:\WINDOWS\Tasks\Shutdown Computer.job" - C:\WINDOWS\SYSTEM32\SHUTDOWN.EXE . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-02 17:19:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Canon\DIAS\CnxDIAS.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\wdfmgr.exe . ************************************************************************ . Completion time: 2008-04-02 17:24:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-02 21:24:22 Pre-Run: 64,498,368,512 bytes free Post-Run: 64,420,503,552 bytes free . 2008-04-01 21:35:05 --- E O F --- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:04:39 AM, on 04/04/08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Canon\DIAS\CnxDIAS.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\ADVANCE INFORMATION TECHNOLOGY\Taiters\Taiters.exe C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx? R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 5327 bytes

04-05-2008, 07:54 PM	#4 (permalink)
Aaflac Analyst/Security Team Hen Join Date: Mar 2007 Posts: 899 OS: XP and Vista	Re: mljgh.dll won't go away Please run HijackThis, Scan Check box for: O20 - Winlogon Notify: efcdbcb - efcdbcb.dll (file missing) Select: Fix checked ~~~~ Download ATF Cleaner Double-click ATF-Cleaner.exe to run the program Click Select All Click: Empty Selected Click Exit to close the ATF Cleaner program. ~~~~ Next, download Malwarebytes' Anti-Malware (MBAM) Save the program to the Desktop Close all Windows, including this one. (Print the instructions first) On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts If an update is found, MBAM will download and install the latest. Click OK At the main program window Make sure the following is checked: Perform Quick Scan Click: Scan (The scan may take some time to finish, so please be patient.) When the scan completes, a message box appears as shown in the image below: Click OK At the main Scanner screen: Click on: Show Results A screen displaying the malware found shows as seen in the image below. (Results may be different.) Make sure everything found is checked, and click: Remove Selected When the disinfection is complete, you may be prompted to Restart. Please do so. When MBAM finishes removing the malware, a log opens in Notepad The log is automatically saved and can be viewed by clicking the Logs tab. ~~~~ Run HijackThis once again to obtain a new log. ~~~~ Please provide the MBAM report, and a new HijackThis log in your reply. __________________

04-07-2008, 12:05 PM	#5 (permalink)
gnip gnop Registered User Join Date: Mar 2008 Posts: 4 OS: xp home sp2	Re: mljgh.dll won't go away Malwarebytes' Anti-Malware 1.10 Database version: 598 Scan type: Quick Scan Objects scanned: 30366 Time elapsed: 5 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:59:33 PM, on 04/07/08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Canon\DIAS\CnxDIAS.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cris.nyserda.org/Dashboard/Login.aspx? R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/entry/index....DS&appindex=DS O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://www.nymapper.com/ecwplugins/ncs.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 4993 bytes

04-07-2008, 05:43 PM	#6 (permalink)
Aaflac Analyst/Security Team Hen Join Date: Mar 2007 Posts: 899 OS: XP and Vista	Re: mljgh.dll won't go away The HijackThis log appears clean. Are you still having malware problems? __________________

04-10-2008, 11:02 AM	#7 (permalink)
gnip gnop Registered User Join Date: Mar 2008 Posts: 4 OS: xp home sp2	Re: mljgh.dll won't go away I'm no longer having any problems that I am aware of. Thanks for your help!