Vundo / mljji.dll infection

bagofbeef · 12-06-2007, 07:33 AM

I've been having issues with the Vundo virus for a few weeks. As of a few days ago, everything seemed to be clean exept for System32\mljji.dll. I haven't been able to remove it. In the last couple of days, I've been getting more and more Vundo notifications from Symantec. I need some help to get Vundo off of my machine. Here's the HijackThis log:

**************

Logfile of HijackThis v1.99.1
Scan saved at 10:30:05 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Avid\Avid Media Composer\AvidMediaComposer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ywupmeyg.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ywupmeyg.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

********************

Thanks in advance for the help.

alba · 12-09-2007, 12:31 AM

Hi bagofbeef

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Download ComboFix

Alternate Link
ComboFix

and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

===============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

===============================================

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

bagofbeef · 12-10-2007, 06:53 AM

Thanks for getting back to me. I just ran ComboFix and Hijackthis. The logs are attached.

ComboFix 07-12-10.2 - Administrator 2007-12-10 9:31:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2599 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Messenger\rtemem.html
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\IA
C:\WINDOWS\IA\\KE.vbs
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\_suspicious_files\ijjlm.ini
C:\WINDOWS\system32\_suspicious_files\ijjlm.ini2
C:\WINDOWS\system32\decysktp.dll
C:\WINDOWS\system32\f1
C:\WINDOWS\system32\gxqejttr.dll
C:\WINDOWS\system32\h2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\kurnvwvv.dll
C:\WINDOWS\system32\lxhkqjtw.dll
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mrqkwpfv.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\sppugjyx.dll
C:\WINDOWS\system32\tdhoptxn.dll
C:\WINDOWS\system32\vfpwkqrm.dll
C:\WINDOWS\system32\xpjvvppx.ini
C:\WINDOWS\system32\xppvvjpx.dll
C:\WINDOWS\system32\xyjgupps.ini
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-04 12:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 12:28 . 2007-12-04 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2007-12-04 12:15 . 2007-12-10 09:36 <DIR> d-------- C:\WINDOWS\system32\_suspicious_files
2007-11-28 15:15 . 2007-11-28 15:15 90 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 09:38 . 2007-12-06 11:50 <DIR> d-------- C:\OMFI MediaFiles
2007-11-27 16:51 . 2007-12-06 14:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-21 09:10 . 2007-12-08 20:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-21 09:10 . 2007-11-21 09:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-20 09:11 . 2007-11-26 15:55 <DIR> d-------- C:\VundoFix Backups
2007-11-14 12:21 . 2007-12-04 12:35 10,676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-14 12:21 . 2007-12-04 12:35 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-14 12:02 . 2007-11-14 12:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 14:22 . 2007-11-13 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:43 . 2007-11-13 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 12:42 . 2007-11-13 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-13 09:00 . 2007-11-13 09:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-12 14:59 . 2007-11-12 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Program Files\Nero
2007-11-12 14:46 . 2007-11-12 14:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-12 12:07 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 12:06 . 2007-11-12 12:06 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2007-11-12 12:05 . 2005-09-22 12:35 <DIR> d---s---- C:\WINDOWS\Tasks
2007-11-12 12:04 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\?racle
2007-11-12 12:04 . 2007-11-12 12:04 <DIR> d-------- C:\Program Files\Common Files\A?pPatch
2007-11-12 12:03 . 2007-11-12 12:03 <DIR> d-------- C:\Program Files\Common Files\T?sks
2007-11-12 12:03 . 2007-11-12 12:03 <DIR> d-------- C:\Program Files\Common Files\T?sks
2007-11-12 12:02 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\F?nts
2007-11-12 12:02 . 2007-11-12 12:00 <DIR> d-------- C:\Program Files\s?stem
2007-11-12 12:01 . 2007-11-12 12:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?curity
2007-11-12 12:00 . 2007-11-12 12:00 <DIR> d-------- C:\WINDOWS\?ymantec
2007-11-12 12:00 . 2007-08-15 12:06 <DIR> d-------- C:\WINDOWS\AppPatch
2007-11-12 12:00 . 2007-11-12 12:00 <DIR> d-------- C:\Program Files\s?stem
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\WINDOWS\system32\M?crosoft.NET
2007-11-12 11:59 . 2004-11-09 23:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-12 11:59 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:59 . 2007-11-12 11:54 <DIR> d-------- C:\Program Files\çasks
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\a?sembly
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\A?pPatch
2007-11-12 11:59 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\àppPatch
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\system32\a?sembly
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\?racle
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\àppPatch
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\àdobe
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\s?mbols
2007-11-12 11:58 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\T?sks
2007-11-12 11:58 . 2005-09-22 13:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-12 11:58 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?mbols
2007-11-12 11:58 . 2006-10-12 07:50 <DIR> d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\çasks
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\àppPatch
2007-11-12 11:57 . 2007-11-12 11:57 <DIR> d-------- C:\WINDOWS\system32\A?pPatch
2007-11-12 11:57 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-11-12 11:57 . 2007-07-20 09:18 <DIR> dr--s---- C:\WINDOWS\assembly
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\?icrosoft
2007-11-12 11:57 . 2007-08-15 12:06 <DIR> d-------- C:\WINDOWS\AppPatch
2007-11-12 11:57 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\M?crosoft
2007-11-12 11:57 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2007-11-12 11:57 . 2007-11-12 11:57 <DIR> d-------- C:\Program Files\Common Files\?ymantec
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\M?crosoft
2007-11-12 11:57 . 2007-11-12 12:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?curity
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2007-11-12 11:56 . 2007-11-12 12:06 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\system32\S?mantec
2007-11-12 11:56 . 2006-05-03 16:47 <DIR> d-------- C:\WINDOWS\security
2007-11-12 11:56 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\s?mbols
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\s?stem32
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\F?nts
2007-11-12 11:56 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\?racle
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\Common Files\?ecurity
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\S?mantec
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\M?crosoft.NET
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\?ecurity
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\s?stem32
2007-11-12 11:56 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\A?pPatch
2007-11-12 11:56 . 2007-12-04 12:35 <DIR> d-------- C:\Program Files\Symantec
2007-11-12 11:56 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\a?sembly
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\?racle
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\àdobe
2007-11-12 11:55 . 2004-11-09 23:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\system32\?asks
2007-11-12 11:55 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\M?crosoft
2007-11-12 11:55 . 2005-09-22 12:35 <DIR> d---s---- C:\WINDOWS\Tasks
2007-11-12 11:55 . 2006-05-03 16:47 <DIR> d-------- C:\WINDOWS\security
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\s?curity
2007-11-12 11:55 . 2005-09-22 13:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\àdobe
2007-11-12 11:55 . 2007-06-13 08:02 <DIR> d-------- C:\Program Files\Common Files\System

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 14:40 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2007-12-09 01:20 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-04 17:37 --------- d-----w C:\Program Files\Google
2007-12-04 17:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-04 17:35 --------- d-----w C:\Program Files\Symantec
2007-12-04 17:32 --------- d-----w C:\Program Files\Java
2007-11-12 17:03 --------- d-----w C:\Program Files\Common Files\??sks
2007-11-12 17:02 --------- d-----w C:\Program Files\??stem
2007-11-12 16:59 --------- d-----w C:\Program Files\Common Files\?ssembly
2007-11-12 16:59 --------- d-----w C:\Program Files\?ppPatch
2007-11-12 16:59 --------- d-----w C:\Program Files\??sks
2007-11-12 16:58 --------- d-----w C:\Program Files\?ppPatch
2007-11-12 16:58 --------- d-----w C:\Program Files\?dobe
2007-11-12 16:58 --------- d-----w C:\Program Files\??sks
2007-11-12 16:58 --------- d-----w C:\Program Files\??crosoft.NET
2007-11-12 16:58 --------- d-----w C:\Program Files\??crosoft
2007-11-12 16:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?icrosoft
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\?ymantec
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\??pPatch
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\??crosoft
2007-11-12 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??curity
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?racle
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?icrosoft
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?ecurity
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\??mantec
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\??crosoft.NET
2007-11-12 16:56 --------- d-----w C:\Program Files\?ecurity
2007-11-12 16:56 --------- d-----w C:\Program Files\??stem32
2007-11-12 16:56 --------- d-----w C:\Program Files\??pPatch
2007-11-12 16:56 --------- d-----w C:\Program Files\??mantec
2007-11-12 16:56 --------- d-----w C:\Program Files\??crosoft
2007-11-12 16:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?racle
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?racle
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?ppPatch
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?icrosoft
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?dobe
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??stem
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??sembly
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??pPatch
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??mbols
2007-11-12 16:55 --------- d-----w C:\Program Files\?ymantec
2007-11-12 16:55 --------- d-----w C:\Program Files\?ssembly
2007-11-12 16:55 --------- d-----w C:\Program Files\?icrosoft.NET
2007-11-12 16:55 --------- d-----w C:\Program Files\?icrosoft
2007-11-12 16:55 --------- d-----w C:\Program Files\??sembly
2007-11-12 16:55 --------- d-----w C:\Program Files\??curity
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\?ystem32
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\?ymbols
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??stem32
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??curity
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??crosoft
2007-11-12 16:54 --------- d-----w C:\Program Files\?ystem
2007-11-12 16:54 --------- d-----w C:\Program Files\?racle
2007-11-12 16:54 --------- d-----w C:\Program Files\?racle
2007-11-12 16:54 --------- d-----w C:\Program Files\?icrosoft
2007-11-12 16:54 --------- d-----w C:\Program Files\?asks
2007-11-12 16:54 --------- d-----w C:\Program Files\??pPatch
2007-11-12 16:54 --------- d-----w C:\Program Files\??mbols
2007-11-12 16:54 --------- d-----w C:\Program Files\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??crosoft
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?ystem
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?ppPatch
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?dobe
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?asks
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?asks
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\??sks
2007-11-12 16:53 --------- d-----w C:\Program Files\?ystem32
2007-11-12 16:53 --------- d-----w C:\Program Files\?ymbols
2007-11-12 16:53 --------- d-----w C:\Program Files\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Program Files\?dobe
2007-11-12 16:53 --------- d-----w C:\Program Files\?asks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?asks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??stem32
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??stem
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??sks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??mbols
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??mantec
2007-10-30 15:09 --------- d-----w C:\Program Files\DivX
2007-10-30 14:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{188D46AD-BCED-447F-B20E-60F5CB32313C}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\{24A1CF26-2E6E-4375-B834-4B5524A92BF4}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{4D92E012-78E3-4CD6-A27C-186497D1056B}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{C21790DB-1E75-41C2-B1A2-71C0D2E9AEF2}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\system32\{C8405FC4-02DD-4CD2-AEAB-5A1BB4900910}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{F6225B7E-ACDF-4245-8EE2-F1A674B16F9F}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{AC887BC4-A887-455F-AA89-B2B3B71979B4}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 11:57]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 07:34]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 14:49]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-02-25 04:33]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"Blackmagic CheckVersion PCI"="C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe" [2006-04-10 15:05]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-14 23:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-15 14:05]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-07-02 13:31]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-03-17 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj]
pkyearhj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b]
rundll32.exe C:\WINDOWS\system32\ahhitmqb.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 BMDPDisk;BMDPDisk;C:\WINDOWS\system32\drivers\BMDPDisk.sys
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 BMDPBox;BMDPBox;C:\WINDOWS\system32\drivers\BMDPBox.sys
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 BMDDeckLinkAudio;BMDDeckLinkAudio;C:\WINDOWS\system32\DRIVERS\deckaud.sys
S3 BMDDeckLinkSerial;BMDDeckLinkSerial;C:\WINDOWS\system32\DRIVERS\deckser.sys
S3 DeckLink;DeckLink;C:\WINDOWS\system32\DRIVERS\DeckLink.sys
S3 DeckLinkDisplay;DeckLinkDisplay;C:\WINDOWS\system32\DRIVERS\deckmp.sys
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:20:10 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 09:41:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-10 9:43:18 - machine was rebooted
.
--- E O F --- 2007-11-14 14:05:22

Logfile of HijackThis v1.99.1
Scan saved at 9:45:37 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: efcbyax - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pkyearhj - pkyearhj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

bagofbeef · 12-10-2007, 09:29 AM

Oops. sorry - didn't mean to paste AND attach...

alba · 12-10-2007, 11:20 AM

Hi bagofbeef

Can you tell me what happened on 2007-11-12, because what ever it was it created all these folders ??mantec and unfortunately you will have to delete them manually.

Please follow my instructions carefully and take your time

===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present. You will see the full name of the folder (??asks = tasks etc) If there are two folders of the same name right click on them and then click on properties ONLY delete folders that were created on 2007-11-12

C:\Program Files\Common Files\ ??sks
C:\Program Files\ ??stem
C:\Program Files\Common Files\ ?ssembly
C:\Program Files\ ?ppPatch
C:\Program Files\ ??sks
C:\Program Files\?ppPatch
C:\Program Files\ ?dobe
C:\Program Files\ ??sks
C:\Program Files\ ??crosoft.NET
C:\Program Files\ ??crosoft
C:\Documents and Settings\Administrator\Application Data\ ?icrosoft
C:\Program Files\Common Files\ ?ymantec
C:\Program Files\Common Files\ ??pPatch
C:\Program Files\Common Files\ ??crosoft
C:\Documents and Settings\Administrator\Application Data\ ??curity
C:\Program Files\Common Files\ ?racle
C:\Program Files\Common Files\ ?icrosoft.NET
C:\Program Files\Common Files\ ?icrosoft
C:\Program Files\Common Files\ ?ecurity
C:\Program Files\Common Files\ ??mantec
C:\Program Files\Common Files\ ??crosoft.NET
C:\Program Files\ ?ecurity
C:\Program Files\ ??stem32
C:\Program Files\ ??pPatch
C:\Program Files\ ??mantec
C:\Program Files\ ??crosoft
C:\Documents and Settings\Administrator\Application Data\ ?racle
C:\Program Files\Common Files\ ?racle
C:\Program Files\Common Files\ ?ppPatch
C:\Program Files\Common Files\ ?icrosoft
C:\Program Files\Common Files\ ?dobe
C:\Program Files\Common Files\ ??stem
C:\Program Files\Common Files\ ??sembly
C:\Program Files\Common Files\ ??pPatch
C:\Program Files\Common Files\ ??mbols
C:\Program Files\ ?ymantec
C:\Program Files\ ?ssembly
C:\Program Files\ ?icrosoft.NET
C:\Program Files\ ?icrosoft
C:\Program Files\ ??sembly
C:\Program Files\ ??curity
C:\Program Files\Common Files\ ?ystem32
C:\Program Files\Common Files\ ?ymbols
C:\Program Files\Common Files\ ??stem32
C:\Program Files\Common Files\ ??curity
C:\Program Files\Common Files\ ??crosoft.NET
C:\Program Files\Common Files\ ??crosoft
C:\Program Files\ ?ystem
C:\Program Files\ ?racle
C:\Program Files\ ?racle
C:\Program Files\ ?icrosoft
C:\Program Files\ ?asks
C:\Program Files\ ??pPatch
C:\Program Files\ ??mbols
C:\Program Files\ ??crosoft.NET
C:\Documents and Settings\Administrator\Application Data\ ??crosoft.NET
C:\Documents and Settings\Administrator\Application Data\ ??crosoft
C:\Program Files\Common Files\ ?ystem
C:\Program Files\Common Files\ ?ppPatch
C:\Program Files\Common Files\ ?icrosoft.NET
C:\Program Files\Common Files\ ?dobe
C:\Program Files\Common Files\ ?asks
C:\Program Files\Common Files\ ?asks
C:\Program Files\Common Files\ ??sks
C:\Program Files\ ?ystem32
C:\Program Files\ ?ymbols
C:\Program Files\ ?icrosoft.NET
C:\Program Files\ ?dobe
C:\Program Files\ ?asks
C:\Documents and Settings\Administrator\Application Data\ ?icrosoft.NET
C:\Documents and Settings\Administrator\Application Data\ ?asks
C:\Documents and Settings\Administrator\Application Data\ ??stem32
C:\Documents and Settings\Administrator\Application Data\ ??stem
C:\Documents and Settings\Administrator\Application Data\ ??sks
C:\Documents and Settings\Administrator\Application Data\ ??mbols
C:\Documents and Settings\Administrator\Application Data\ ??mantec

===============================================

REBOOT TO NORMAL MODE

=================

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ahhitmqb.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b]

DirLook::
C:\Documents and Settings\Administrator\.java
C:\WINDOWS\system32\_suspicious_files

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

bagofbeef · 12-10-2007, 12:47 PM

I'm not sure if I'll get a chance to post the Kaspersky log today. The scan is at 1%, and it's been going for about 20 minutes or so -- to this point, it's found 16 viruses, 95 infected objects, and 2 suspicious objects. Again, I'll post the full log tomorrow, along with the ComboFix log and the HijackThis log. Thanks again.

bagofbeef · 12-11-2007, 06:00 AM

OK. Not sure what happened on 11-12. Nothing that I can remember that would have created all of those duplicate folders, anyway. At any rate, I booted into safe mode, deleted the empty duplicate folders that were created on that date, and then ran ComboFix, Kaspersky, and HijackThis. Logs attached.

alba · 12-11-2007, 08:58 AM

Hi bagofbeef

Did you download anything on that day we dont judge but it would be interesting to know where the infection came from

in future please copy/paste your logs into your reply when you attach them it makes it harder to read the logs and takes much longer to prepare a fix for you

We are nearly there so lets get going.

I have asked you to remove CuteFTP because it is infected with adware see Here
for more info
---------------------------------------

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

=================

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

Web Buying
CuteFTP

=================

Okay same as last time, you can try deleting them from normal mode first, this should be them all just take your time and check duplicate folders for the creation date 2007-11-12

Locate and delete the following folders, if present:

C:\WINDOWS\system32\ s?mbols
C:\WINDOWS\ ?racle
C:\WINDOWS\ ?ymantec
C:\WINDOWS\system32\ a?sembly
C:\WINDOWS\ ?racle
C:\WINDOWS\system32\ A?pPatch
C:\WINDOWS\system32\ ?racle
C:\WINDOWS\ ?icrosoft
C:\WINDOWS\ M?crosoft
C:\WINDOWS\system32\ ?racle
C:\WINDOWS\system32\ ?icrosoft.NET
C:\WINDOWS\system32\ s?mbols
C:\WINDOWS\system32\ S?mantec
C:\WINDOWS\ s?mbols
C:\WINDOWS\system32\ ?asks
C:\WINDOWS\ M?crosoft
C:\WINDOWS\ ?dobe
C:\Program Files\ W?nSxS
C:\Program Files\Common Files\ W?nSxS

============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:

File::
C:\Downloads\cUTE ftp\CUTE4032.EXE

Folder::
C:\WINDOWS\system32\_suspicious_files
C:\Program Files\Web Buying
C:\Program Files\GlobalSCAPE

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================

Please empty your recycle bin and spybots recovery folder

I see you have been to bitdefender online scan please go there again and do another scan

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
Bitdefender report
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

bagofbeef · 12-11-2007, 09:51 AM

All righty:

I removed CuteFTP.

I deleted the 11-12 folders in normal mode, and then went to safe mode to see if they'd come back. They did. So I deleted them in safe mode.

Went back to normal mode and ran ComboFix.

I emptied the recycle bin and purged SpyBot's recovery folder -- I assume that this is done within the program -- I didn't see any 'Recovery' directory in \Program Files\Spybot. So I opened the program, clicked the recovery tab, selected all of the items, and clicked 'purge'.

I went to start the BitDefender scan, and got this:

I just canceled out of it.

bagofbeef · 12-11-2007, 09:59 AM

I tried BitDefender again, and it just went right into scanning, without asking me to download the definitions. I'm just letting it run. (I'm posting this reply from a different machine).

bagofbeef · 12-11-2007, 11:44 AM

OK, BitDefender's all done. I saved the results as a .txt file, but it was obviously formatted html, so I'm going to upload it as well.

***********
ComboFix
*************

ComboFix 07-12-10.2 - Administrator 2007-12-11 12:33:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2602 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Downloads\cUTE ftp\CUTE4032.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\cUTE ftp\CUTE4032.EXE
C:\Program Files\GlobalSCAPE
C:\Program Files\GlobalSCAPE\CuteFTP\unwise32.exe
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.cnt
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.exe
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.hlp
C:\Program Files\GlobalSCAPE\CuteHTML\cutetips.txt
C:\Program Files\GlobalSCAPE\CuteHTML\html.txt
C:\Program Files\GlobalSCAPE\CuteHTML\INSTALL2.LOG
C:\Program Files\GlobalSCAPE\CuteHTML\tagtips.dat
C:\Program Files\GlobalSCAPE\CuteHTML\unreg.exe
C:\Program Files\GlobalSCAPE\CuteHTML\unwise32.exe
C:\WINDOWS\system32\_suspicious_files
C:\WINDOWS\system32\_suspicious_files\17PHolmes1000106.exe
C:\WINDOWS\system32\_suspicious_files\17PHolmes572.exe
C:\WINDOWS\system32\_suspicious_files\acrrpwbc.dll
C:\WINDOWS\system32\_suspicious_files\bqmtihha.ini
C:\WINDOWS\system32\_suspicious_files\bteyeaih.ini
C:\WINDOWS\system32\_suspicious_files\cbwprrca.ini
C:\WINDOWS\system32\_suspicious_files\cllrunnm.ini
C:\WINDOWS\system32\_suspicious_files\cryowowh.dll
C:\WINDOWS\system32\_suspicious_files\esuoikps.dll
C:\WINDOWS\system32\_suspicious_files\fhckvtwb.dll
C:\WINDOWS\system32\_suspicious_files\grkkpthm.dll
C:\WINDOWS\system32\_suspicious_files\mhtpkkrg.ini
C:\WINDOWS\system32\_suspicious_files\mnnurllc.dll
C:\WINDOWS\system32\_suspicious_files\ofwavrob.dll
C:\WINDOWS\system32\_suspicious_files\oynmfrkp.ini
C:\WINDOWS\system32\_suspicious_files\qodopxrq.dll
C:\WINDOWS\system32\_suspicious_files\qrxpodoq.ini
C:\WINDOWS\system32\_suspicious_files\qyahbdav.ini
C:\WINDOWS\system32\_suspicious_files\rbliryih.dll
C:\WINDOWS\system32\_suspicious_files\rejordot.ini
C:\WINDOWS\system32\_suspicious_files\todrojer.dll
C:\WINDOWS\system32\_suspicious_files\vadbhayq.dll
C:\WINDOWS\system32\_suspicious_files\winshow.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 15:44 . 2007-12-10 15:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-10 15:44 . 2007-12-10 15:44 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-04 12:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 12:28 . 2007-12-04 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2007-11-28 09:38 . 2007-12-10 12:22 <DIR> d-------- C:\OMFI MediaFiles
2007-11-27 16:51 . 2007-12-06 14:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-20 09:11 . 2007-11-26 15:55 <DIR> d-------- C:\VundoFix Backups
2007-11-14 12:21 . 2007-12-04 12:35 10,676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-14 12:21 . 2007-12-04 12:35 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-14 12:02 . 2007-11-14 12:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 14:22 . 2007-11-13 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:43 . 2007-11-13 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 12:42 . 2007-11-13 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-13 09:00 . 2007-11-13 09:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-12 14:59 . 2007-11-12 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Program Files\Nero
2007-11-12 14:46 . 2007-11-12 14:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-12 11:52 . 2007-12-11 08:58 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 17:28 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2007-12-09 01:20 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-04 17:37 --------- d-----w C:\Program Files\Google
2007-12-04 17:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-04 17:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-04 17:35 --------- d-----w C:\Program Files\Symantec
2007-12-04 17:32 --------- d-----w C:\Program Files\Java
2007-10-30 15:09 --------- d-----w C:\Program Files\DivX
2007-10-30 14:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 14:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{188D46AD-BCED-447F-B20E-60F5CB32313C}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\{24A1CF26-2E6E-4375-B834-4B5524A92BF4}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{4D92E012-78E3-4CD6-A27C-186497D1056B}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{C21790DB-1E75-41C2-B1A2-71C0D2E9AEF2}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\system32\{C8405FC4-02DD-4CD2-AEAB-5A1BB4900910}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{F6225B7E-ACDF-4245-8EE2-F1A674B16F9F}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_ 9.42.45.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-10 14:40:58 14,098 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2007-12-11 17:29:16 14,098 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{AC887BC4-A887-455F-AA89-B2B3B71979B4}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 11:57]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 07:34]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 14:49]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-02-25 04:33]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"Blackmagic CheckVersion PCI"="C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe" [2006-04-10 15:05]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-14 23:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-15 14:05]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-07-02 13:31]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-03-17 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 BMDPDisk;BMDPDisk;C:\WINDOWS\system32\drivers\BMDPDisk.sys
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 BMDPBox;BMDPBox;C:\WINDOWS\system32\drivers\BMDPBox.sys
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 BMDDeckLinkAudio;BMDDeckLinkAudio;C:\WINDOWS\system32\DRIVERS\deckaud.sys
S3 BMDDeckLinkSerial;BMDDeckLinkSerial;C:\WINDOWS\system32\DRIVERS\deckser.sys
S3 DeckLink;DeckLink;C:\WINDOWS\system32\DRIVERS\DeckLink.sys
S3 DeckLinkDisplay;DeckLinkDisplay;C:\WINDOWS\system32\DRIVERS\deckmp.sys
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:20:10 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 12:35:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-11 12:35:47
C:\ComboFix2.txt ... 2007-12-10 14:56
C:\ComboFix3.txt ... 2007-12-10 09:43
.
--- E O F --- 2007-11-14 14:05:22

************
HiJackThis

**************

Logfile of HijackThis v1.99.1
Scan saved at 2:31:57 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

**********
Bit Defender
***********
BitDefender Online Scanner

Scan report generated at: Tue, Dec 11, 2007 - 14:18:49

Scan path: C:\;D:\;E:\;J:\;K:\;

Statistics

Time

01:28:09

Files

524380

Folders

14302

Boot Sectors

6

Archives

7791

Packed Files

60713

Results

Identified Viruses

7

Infected Files

22

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

33

Engines Info

Virus Definitions

873675

Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins

14

Archive plugins

38

Unpack plugins

7

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)

Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)

Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)

Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)

Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)

Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)

Infected with: Trojan.Clicker.MNB

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)

Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)

Infected with: Trojan.Clicker.MNB

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)

Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)

Deleted

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir

Infected with: Trojan.Generic.73139

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir

Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir

Deleted

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir

Infected with: Trojan.Small.WY

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir

Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir

Deleted

C:\RECYCLER\NPROTECT\00000773

Infected with: Trojan.Small.WY

C:\RECYCLER\NPROTECT\00000773

Disinfection failed

C:\RECYCLER\NPROTECT\00000773

Deleted

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs

Infected with: Trojan.Small.WY

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs

Disinfection failed

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs

Deleted

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe

Infected with: Trojan.Generic.73139

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe

Disinfection failed

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe

Deleted

K:\OMFI MediaFiles\NotanOptV01.473DB668.4E2130.omf

Clean

K:\OMFI MediaFiles\note paper.tif11940472B194A.omf

Clean

K:\OMFI MediaFiles\OBSESSION W-TAG.mp347386ABF.aif

Clean

K:\OMFI MediaFiles\OBSESSION W-TAG47386ABF.1.aif

Clean

K:\OMFI MediaFiles\Ola in the office (46FBB1BA.omf

Clean

K:\OMFI MediaFiles\Ola in the office (46FBB1F8.omf

Clean

K:\OMFI MediaFiles\om04013.mp3.A147571B7A.aif

Clean

K:\OMFI MediaFiles\om04013.mp3.A247571B7A.aif

Clean

K:\OMFI MediaFiles\om04014.mp3.A147571B86.aif

Clean

K:\OMFI MediaFiles\om04014.mp3.A247571B86.aif

Clean

K:\OMFI MediaFiles\om08703.mp3.A147571B8D.aif

Clean

K:\OMFI MediaFiles\om08703.mp3.A247571B8E.aif

Clean

K:\OMFI MediaFiles\om08713.mp3.A147571B93.aif

Clean

K:\OMFI MediaFiles\om08713.mp3.A247571B93.aif

Clean

K:\OMFI MediaFiles\om08718.mp3.A147571B99.aif

Clean

K:\OMFI MediaFiles\om08718.mp3.A247571B99.aif

Clean

K:\OMFI MediaFiles\om13707.waA01.4741D4741D748.aif

Clean

K:\OMFI MediaFiles\om13707.waA02.4741D4741D748.aif

Clean

K:\OMFI MediaFiles\om14715.waA01.46FA646FA6D2C.aif

Clean

K:\OMFI MediaFiles\om14715.waA02.46FA646FA6D2C.aif

Clean

K:\OMFI MediaFiles\om16322.waA01.4758647586F6E.aif

Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E82.aif

Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E83.aif

Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E83.aif=>REMOVED_NULLS

Clean

K:\OMFI MediaFiles\om16322.waA02.4758647586F6E.aif

Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E82.aif

Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E83.aif

Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E83.aif=>REMOVED_NULLS

Clean

K:\OMFI MediaFiles\om16505.mpA01.4758647586F79.aif

Clean

K:\OMFI MediaFiles\om16505.mpA01.4759547595E83.aif

Clean

K:\OMFI MediaFiles\om16505.mpA02.4758647586F79.aif

Clean

K:\OMFI MediaFiles\om16505.mpA02.4759547595E83.aif

Clean

K:\OMFI MediaFiles\om16514.waA01.46E0646E069B8.aif

Clean

K:\OMFI MediaFiles\om16514.waA01.46FA646FA6D31.aif

Clean

K:\OMFI MediaFiles\om16514.waA02.46E0646E069B9.aif

Clean

K:\OMFI MediaFiles\om16514.waA02.46FA646FA6D31.aif

Clean

K:\OMFI MediaFiles\om16703.waA01.474C8474C8CE4.aif

Clean

K:\OMFI MediaFiles\om16703.waA01.4758647586F93.aif

Clean

K:\OMFI MediaFiles\om16703.waA01.4759547595E84.aif

Clean

K:\OMFI MediaFiles\om16703.waA01.4759547595E86.aif

Clean

K:\OMFI MediaFiles\om16703.waA02.474C8474C8CE4.aif

Clean

K:\OMFI MediaFiles\om16703.waA02.4758647586F93.aif

Clean

K:\OMFI MediaFiles\om16703.waA02.4759547595E84.aif

Clean

K:\OMFI MediaFiles\om16703.waA02.4759547595E86.aif

Clean

K:\OMFI MediaFiles\om16704.waA01.474C8474C8CFB.aif

Clean

K:\OMFI MediaFiles\om16704.waA01.4758647586FA6.aif

Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E86.aif

Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E88.aif

Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E88.aif=>REMOVED_NULLS

Clean

K:\OMFI MediaFiles\om16704.waA02.474C8474C8CFB.aif

Clean

K:\OMFI MediaFiles\om16704.waA02.4758647586FA6.aif

Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E86.aif

Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E88.aif

Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E88.aif=>REMOVED_NULLS

Clean

K:\OMFI MediaFiles\om16705.waA01.474C8474C8D17.aif

Clean

K:\OMFI MediaFiles\om16705.waA02.474C8474C8D17.aif

Clean

K:\OMFI MediaFiles\om16714.waA01.474C8474C8D2E.aif

Clean

K:\OMFI MediaFiles\om16714.waA02.474C8474C8D2E.aif

Clean

K:\OMFI MediaFiles\om16717.waA01.474C8474C8D46.aif

Clean

K:\OMFI MediaFiles\om16717.waA02.474C8474C8D46.aif

Clean

K:\OMFI MediaFiles\om16718.waA01.474C8474C8D5C.aif

Clean

K:\OMFI MediaFiles\om16718.waA02.474C8474C8D5C.aif

Clean

K:\OMFI MediaFiles\opportunity1190664146F817C2.omf

Clean

K:\OMFI MediaFiles\opportunity11906646F817C2.0.omf

Clean

K:\OMFI MediaFiles\OTHER1190664679V046F819E7.omf

Clean

K:\OMFI MediaFiles\OTHER1190664680V046F819E8.omf

Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1146E168D4.omf

Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1146E168E9.omf

Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1147307D4F.omf

Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1147307D52.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C68.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C6A.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C8F.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C91.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C93.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C65.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C66.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C6A.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C6C.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473A006E.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0CC4.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D01.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D04.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D5C.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D60.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E106C.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade t473E0CC5.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0A8C.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0C96.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0CA7.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0CB5.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0D8D.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0FD8.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E10DD.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0B31.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0CC7.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0CC8.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D05.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D9E.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D9F.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0FEB.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E1070.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E10E4.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0A80.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0C42.omf

Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0C4B.omf

Clean

********************

alba · 12-11-2007, 11:16 PM

Hi bagofbeef

Your logs are clean well done!

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

You can also empty Nortons quarantine
==========================

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

* It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER

*Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

===================================

Follow the list above and the potential for infection will reduce dramatically.

Please respond to this thread one more time so we can mark this thread as resolved.

bagofbeef · 12-12-2007, 07:10 AM

Great! Thanks for all of the help, and the links to the anti-spyware stuff.

12-06-2007, 07:33 AM	#1 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Vundo / mljji.dll infection I've been having issues with the Vundo virus for a few weeks. As of a few days ago, everything seemed to be clean exept for System32\mljji.dll. I haven't been able to remove it. In the last couple of days, I've been getting more and more Vundo notifications from Symantec. I need some help to get Vundo off of my machine. Here's the HijackThis log: ************** Logfile of HijackThis v1.99.1 Scan saved at 10:30:05 AM, on 12/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\AvidSDMService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Digidesign\Drivers\MMERefresh.exe C:\Program Files\FolderSize\FolderSizeSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Avid\Avid Media Composer\AvidMediaComposer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\ywupmeyg.exe C:\Downloads\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe O23 - Service: DomainService - - C:\WINDOWS\system32\ywupmeyg.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe ******************** Thanks in advance for the help.

12-09-2007, 12:31 AM	#2 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== Additional Downloads Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. ================= Download ComboFix Alternate Link ComboFix and save it to your desktop. Note: It is important that it is saved directly to your desktop =============================================== 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. =============================================== Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

12-10-2007, 09:29 AM	#4 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Re: Vundo / mljji.dll infection Oops. sorry - didn't mean to paste AND attach...

12-10-2007, 11:20 AM	#5 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef Can you tell me what happened on 2007-11-12, because what ever it was it created all these folders ??mantec and unfortunately you will have to delete them manually. Please follow my instructions carefully and take your time =============================================== Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. =============================================== If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folders, if present. You will see the full name of the folder (??asks = tasks etc) If there are two folders of the same name right click on them and then click on properties ONLY delete folders that were created on 2007-11-12 C:\Program Files\Common Files\ ??sks C:\Program Files\ ??stem C:\Program Files\Common Files\ ?ssembly C:\Program Files\ ?ppPatch C:\Program Files\ ??sks C:\Program Files\?ppPatch C:\Program Files\ ?dobe C:\Program Files\ ??sks C:\Program Files\ ??crosoft.NET C:\Program Files\ ??crosoft C:\Documents and Settings\Administrator\Application Data\ ?icrosoft C:\Program Files\Common Files\ ?ymantec C:\Program Files\Common Files\ ??pPatch C:\Program Files\Common Files\ ??crosoft C:\Documents and Settings\Administrator\Application Data\ ??curity C:\Program Files\Common Files\ ?racle C:\Program Files\Common Files\ ?icrosoft.NET C:\Program Files\Common Files\ ?icrosoft C:\Program Files\Common Files\ ?ecurity C:\Program Files\Common Files\ ??mantec C:\Program Files\Common Files\ ??crosoft.NET C:\Program Files\ ?ecurity C:\Program Files\ ??stem32 C:\Program Files\ ??pPatch C:\Program Files\ ??mantec C:\Program Files\ ??crosoft C:\Documents and Settings\Administrator\Application Data\ ?racle C:\Program Files\Common Files\ ?racle C:\Program Files\Common Files\ ?ppPatch C:\Program Files\Common Files\ ?icrosoft C:\Program Files\Common Files\ ?dobe C:\Program Files\Common Files\ ??stem C:\Program Files\Common Files\ ??sembly C:\Program Files\Common Files\ ??pPatch C:\Program Files\Common Files\ ??mbols C:\Program Files\ ?ymantec C:\Program Files\ ?ssembly C:\Program Files\ ?icrosoft.NET C:\Program Files\ ?icrosoft C:\Program Files\ ??sembly C:\Program Files\ ??curity C:\Program Files\Common Files\ ?ystem32 C:\Program Files\Common Files\ ?ymbols C:\Program Files\Common Files\ ??stem32 C:\Program Files\Common Files\ ??curity C:\Program Files\Common Files\ ??crosoft.NET C:\Program Files\Common Files\ ??crosoft C:\Program Files\ ?ystem C:\Program Files\ ?racle C:\Program Files\ ?racle C:\Program Files\ ?icrosoft C:\Program Files\ ?asks C:\Program Files\ ??pPatch C:\Program Files\ ??mbols C:\Program Files\ ??crosoft.NET C:\Documents and Settings\Administrator\Application Data\ ??crosoft.NET C:\Documents and Settings\Administrator\Application Data\ ??crosoft C:\Program Files\Common Files\ ?ystem C:\Program Files\Common Files\ ?ppPatch C:\Program Files\Common Files\ ?icrosoft.NET C:\Program Files\Common Files\ ?dobe C:\Program Files\Common Files\ ?asks C:\Program Files\Common Files\ ?asks C:\Program Files\Common Files\ ??sks C:\Program Files\ ?ystem32 C:\Program Files\ ?ymbols C:\Program Files\ ?icrosoft.NET C:\Program Files\ ?dobe C:\Program Files\ ?asks C:\Documents and Settings\Administrator\Application Data\ ?icrosoft.NET C:\Documents and Settings\Administrator\Application Data\ ?asks C:\Documents and Settings\Administrator\Application Data\ ??stem32 C:\Documents and Settings\Administrator\Application Data\ ??stem C:\Documents and Settings\Administrator\Application Data\ ??sks C:\Documents and Settings\Administrator\Application Data\ ??mbols C:\Documents and Settings\Administrator\Application Data\ ??mantec =============================================== REBOOT TO NORMAL MODE ================= Open notepad and carefully copy/paste all the text in the code box below into it: Code: File:: C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ahhitmqb.dll Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b] DirLook:: C:\Documents and Settings\Administrator\.java C:\WINDOWS\system32\_suspicious_files Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ================= Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 12-10-2007 at 11:23 AM.

12-10-2007, 12:47 PM	#6 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Re: Vundo / mljji.dll infection I'm not sure if I'll get a chance to post the Kaspersky log today. The scan is at 1%, and it's been going for about 20 minutes or so -- to this point, it's found 16 viruses, 95 infected objects, and 2 suspicious objects. Again, I'll post the full log tomorrow, along with the ComboFix log and the HijackThis log. Thanks again.

12-11-2007, 08:58 AM	#8 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef Did you download anything on that day we dont judge but it would be interesting to know where the infection came from in future please copy/paste your logs into your reply when you attach them it makes it harder to read the logs and takes much longer to prepare a fix for you We are nearly there so lets get going. I have asked you to remove CuteFTP because it is infected with adware see Here for more info --------------------------------------- Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. ================= From Control Panel->Add/Remove Programs, uninstall the following programs, if present, : Web Buying CuteFTP ================= Okay same as last time, you can try deleting them from normal mode first, this should be them all just take your time and check duplicate folders for the creation date 2007-11-12 Locate and delete the following folders, if present: C:\WINDOWS\system32\ s?mbols C:\WINDOWS\ ?racle C:\WINDOWS\ ?ymantec C:\WINDOWS\system32\ a?sembly C:\WINDOWS\ ?racle C:\WINDOWS\system32\ A?pPatch C:\WINDOWS\system32\ ?racle C:\WINDOWS\ ?icrosoft C:\WINDOWS\ M?crosoft C:\WINDOWS\system32\ ?racle C:\WINDOWS\system32\ ?icrosoft.NET C:\WINDOWS\system32\ s?mbols C:\WINDOWS\system32\ S?mantec C:\WINDOWS\ s?mbols C:\WINDOWS\system32\ ?asks C:\WINDOWS\ M?crosoft C:\WINDOWS\ ?dobe C:\Program Files\ W?nSxS C:\Program Files\Common Files\ W?nSxS ============================================ 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and carefully copy/paste all the text in the code box below into it: Code: File:: C:\Downloads\cUTE ftp\CUTE4032.EXE Folder:: C:\WINDOWS\system32\_suspicious_files C:\Program Files\Web Buying C:\Program Files\GlobalSCAPE Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying] Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ==================================== Please empty your recycle bin and spybots recovery folder I see you have been to bitdefender online scan please go there again and do another scan Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt Bitdefender report HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 12-11-2007 at 09:04 AM.

12-11-2007, 09:51 AM	#9 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Re: Vundo / mljji.dll infection All righty: I removed CuteFTP. I deleted the 11-12 folders in normal mode, and then went to safe mode to see if they'd come back. They did. So I deleted them in safe mode. Went back to normal mode and ran ComboFix. I emptied the recycle bin and purged SpyBot's recovery folder -- I assume that this is done within the program -- I didn't see any 'Recovery' directory in \Program Files\Spybot. So I opened the program, clicked the recovery tab, selected all of the items, and clicked 'purge'. I went to start the BitDefender scan, and got this: I just canceled out of it.

12-11-2007, 09:59 AM	#10 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Re: Vundo / mljji.dll infection I tried BitDefender again, and it just went right into scanning, without asking me to download the definitions. I'm just letting it run. (I'm posting this reply from a different machine).

12-11-2007, 11:16 PM	#12 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Vundo / mljji.dll infection Hi bagofbeef Your logs are clean well done! The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u You can also empty Nortons quarantine ========================== To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. * It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. =================================== Follow the list above and the potential for infection will reduce dramatically. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Member of UNITE* If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 12-11-2007 at 11:19 PM.

12-12-2007, 07:10 AM	#13 (permalink)
bagofbeef Registered User Join Date: Dec 2007 Posts: 10 OS: Windows XP w/SP2	Re: Vundo / mljji.dll infection Great! Thanks for all of the help, and the links to the anti-spyware stuff.