Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Vundo / mljji.dll infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-06-2007, 08:33 AM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Vundo / mljji.dll infection
I've been having issues with the Vundo virus for a few weeks. As of a few days ago, everything seemed to be clean exept for System32\mljji.dll. I haven't been able to remove it. In the last couple of days, I've been getting more and more Vundo notifications from Symantec. I need some help to get Vundo off of my machine. Here's the HijackThis log:

**************

Logfile of HijackThis v1.99.1
Scan saved at 10:30:05 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Avid\Avid Media Composer\AvidMediaComposer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ywupmeyg.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ywupmeyg.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


********************


Thanks in advance for the help.
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-09-2007, 01:31 AM   #2 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Re: Vundo / mljji.dll infection
Hi bagofbeef

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================


Download ComboFix

Alternate Link
ComboFix

and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

===============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

===============================================

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:
  • ComboFix.txt
  • HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2007, 07:53 AM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
Thanks for getting back to me. I just ran ComboFix and Hijackthis. The logs are attached.

ComboFix 07-12-10.2 - Administrator 2007-12-10 9:31:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2599 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Messenger\rtemem.html
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\IA
C:\WINDOWS\IA\\KE.vbs
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\_suspicious_files\ijjlm.ini
C:\WINDOWS\system32\_suspicious_files\ijjlm.ini2
C:\WINDOWS\system32\decysktp.dll
C:\WINDOWS\system32\f1
C:\WINDOWS\system32\gxqejttr.dll
C:\WINDOWS\system32\h2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\kurnvwvv.dll
C:\WINDOWS\system32\lxhkqjtw.dll
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mrqkwpfv.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\sppugjyx.dll
C:\WINDOWS\system32\tdhoptxn.dll
C:\WINDOWS\system32\vfpwkqrm.dll
C:\WINDOWS\system32\xpjvvppx.ini
C:\WINDOWS\system32\xppvvjpx.dll
C:\WINDOWS\system32\xyjgupps.ini
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-04 12:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 12:28 . 2007-12-04 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2007-12-04 12:15 . 2007-12-10 09:36 <DIR> d-------- C:\WINDOWS\system32\_suspicious_files
2007-11-28 15:15 . 2007-11-28 15:15 90 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 09:38 . 2007-12-06 11:50 <DIR> d-------- C:\OMFI MediaFiles
2007-11-27 16:51 . 2007-12-06 14:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-21 09:10 . 2007-12-08 20:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-21 09:10 . 2007-11-21 09:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-20 09:11 . 2007-11-26 15:55 <DIR> d-------- C:\VundoFix Backups
2007-11-14 12:21 . 2007-12-04 12:35 10,676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-14 12:21 . 2007-12-04 12:35 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-14 12:02 . 2007-11-14 12:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 14:22 . 2007-11-13 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:43 . 2007-11-13 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 12:42 . 2007-11-13 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-13 09:00 . 2007-11-13 09:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-12 14:59 . 2007-11-12 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Program Files\Nero
2007-11-12 14:46 . 2007-11-12 14:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-12 12:07 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 12:06 . 2007-11-12 12:06 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2007-11-12 12:05 . 2005-09-22 12:35 <DIR> d---s---- C:\WINDOWS\Tasks
2007-11-12 12:04 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\?racle
2007-11-12 12:04 . 2007-11-12 12:04 <DIR> d-------- C:\Program Files\Common Files\A?pPatch
2007-11-12 12:03 . 2007-11-12 12:03 <DIR> d-------- C:\Program Files\Common Files\T?sks
2007-11-12 12:03 . 2007-11-12 12:03 <DIR> d-------- C:\Program Files\Common Files\T?sks
2007-11-12 12:02 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\F?nts
2007-11-12 12:02 . 2007-11-12 12:00 <DIR> d-------- C:\Program Files\s?stem
2007-11-12 12:01 . 2007-11-12 12:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?curity
2007-11-12 12:00 . 2007-11-12 12:00 <DIR> d-------- C:\WINDOWS\?ymantec
2007-11-12 12:00 . 2007-08-15 12:06 <DIR> d-------- C:\WINDOWS\AppPatch
2007-11-12 12:00 . 2007-11-12 12:00 <DIR> d-------- C:\Program Files\s?stem
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\WINDOWS\system32\M?crosoft.NET
2007-11-12 11:59 . 2004-11-09 23:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-12 11:59 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:59 . 2007-11-12 11:54 <DIR> d-------- C:\Program Files\ēasks
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\a?sembly
2007-11-12 11:59 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\A?pPatch
2007-11-12 11:59 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\ąppPatch
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\system32\a?sembly
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\WINDOWS\?racle
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\ąppPatch
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\ądobe
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Program Files\s?mbols
2007-11-12 11:58 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\T?sks
2007-11-12 11:58 . 2005-09-22 13:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-12 11:58 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:58 . 2007-11-12 11:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?mbols
2007-11-12 11:58 . 2006-10-12 07:50 <DIR> d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\ēasks
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\ąppPatch
2007-11-12 11:57 . 2007-11-12 11:57 <DIR> d-------- C:\WINDOWS\system32\A?pPatch
2007-11-12 11:57 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-11-12 11:57 . 2007-07-20 09:18 <DIR> dr--s---- C:\WINDOWS\assembly
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\?icrosoft
2007-11-12 11:57 . 2007-08-15 12:06 <DIR> d-------- C:\WINDOWS\AppPatch
2007-11-12 11:57 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\M?crosoft
2007-11-12 11:57 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\ąppPatch
2007-11-12 11:57 . 2007-11-12 11:57 <DIR> d-------- C:\Program Files\Common Files\?ymantec
2007-11-12 11:57 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\M?crosoft
2007-11-12 11:57 . 2007-11-12 12:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\s?curity
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2007-11-12 11:56 . 2007-11-12 12:06 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\system32\S?mantec
2007-11-12 11:56 . 2006-05-03 16:47 <DIR> d-------- C:\WINDOWS\security
2007-11-12 11:56 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\WINDOWS\s?mbols
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\s?stem32
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\F?nts
2007-11-12 11:56 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\?racle
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\Common Files\?ecurity
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\S?mantec
2007-11-12 11:56 . 2007-11-12 11:53 <DIR> d-------- C:\Program Files\Common Files\M?crosoft.NET
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\?ecurity
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Program Files\s?stem32
2007-11-12 11:56 . 2007-11-12 11:59 <DIR> d-------- C:\Program Files\A?pPatch
2007-11-12 11:56 . 2007-12-04 12:35 <DIR> d-------- C:\Program Files\Symantec
2007-11-12 11:56 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\a?sembly
2007-11-12 11:56 . 2007-11-12 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\?racle
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\ądobe
2007-11-12 11:55 . 2004-11-09 23:24 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\system32\?asks
2007-11-12 11:55 . 2007-07-20 09:18 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\WINDOWS\M?crosoft
2007-11-12 11:55 . 2005-09-22 12:35 <DIR> d---s---- C:\WINDOWS\Tasks
2007-11-12 11:55 . 2006-05-03 16:47 <DIR> d-------- C:\WINDOWS\security
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\s?curity
2007-11-12 11:55 . 2005-09-22 13:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\M?crosoft
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\ąppPatch
2007-11-12 11:55 . 2007-11-12 11:55 <DIR> d-------- C:\Program Files\Common Files\ądobe
2007-11-12 11:55 . 2007-06-13 08:02 <DIR> d-------- C:\Program Files\Common Files\System

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 14:40 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2007-12-09 01:20 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-04 17:37 --------- d-----w C:\Program Files\Google
2007-12-04 17:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-04 17:35 --------- d-----w C:\Program Files\Symantec
2007-12-04 17:32 --------- d-----w C:\Program Files\Java
2007-11-12 17:03 --------- d-----w C:\Program Files\Common Files\??sks
2007-11-12 17:02 --------- d-----w C:\Program Files\??stem
2007-11-12 16:59 --------- d-----w C:\Program Files\Common Files\?ssembly
2007-11-12 16:59 --------- d-----w C:\Program Files\?ppPatch
2007-11-12 16:59 --------- d-----w C:\Program Files\??sks
2007-11-12 16:58 --------- d-----w C:\Program Files\?ppPatch
2007-11-12 16:58 --------- d-----w C:\Program Files\?dobe
2007-11-12 16:58 --------- d-----w C:\Program Files\??sks
2007-11-12 16:58 --------- d-----w C:\Program Files\??crosoft.NET
2007-11-12 16:58 --------- d-----w C:\Program Files\??crosoft
2007-11-12 16:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?icrosoft
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\?ymantec
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\??pPatch
2007-11-12 16:57 --------- d-----w C:\Program Files\Common Files\??crosoft
2007-11-12 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??curity
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?racle
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?icrosoft
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\?ecurity
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\??mantec
2007-11-12 16:56 --------- d-----w C:\Program Files\Common Files\??crosoft.NET
2007-11-12 16:56 --------- d-----w C:\Program Files\?ecurity
2007-11-12 16:56 --------- d-----w C:\Program Files\??stem32
2007-11-12 16:56 --------- d-----w C:\Program Files\??pPatch
2007-11-12 16:56 --------- d-----w C:\Program Files\??mantec
2007-11-12 16:56 --------- d-----w C:\Program Files\??crosoft
2007-11-12 16:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?racle
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?racle
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?ppPatch
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?icrosoft
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\?dobe
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??stem
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??sembly
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??pPatch
2007-11-12 16:55 --------- d-----w C:\Program Files\Common Files\??mbols
2007-11-12 16:55 --------- d-----w C:\Program Files\?ymantec
2007-11-12 16:55 --------- d-----w C:\Program Files\?ssembly
2007-11-12 16:55 --------- d-----w C:\Program Files\?icrosoft.NET
2007-11-12 16:55 --------- d-----w C:\Program Files\?icrosoft
2007-11-12 16:55 --------- d-----w C:\Program Files\??sembly
2007-11-12 16:55 --------- d-----w C:\Program Files\??curity
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\?ystem32
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\?ymbols
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??stem32
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??curity
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Program Files\Common Files\??crosoft
2007-11-12 16:54 --------- d-----w C:\Program Files\?ystem
2007-11-12 16:54 --------- d-----w C:\Program Files\?racle
2007-11-12 16:54 --------- d-----w C:\Program Files\?racle
2007-11-12 16:54 --------- d-----w C:\Program Files\?icrosoft
2007-11-12 16:54 --------- d-----w C:\Program Files\?asks
2007-11-12 16:54 --------- d-----w C:\Program Files\??pPatch
2007-11-12 16:54 --------- d-----w C:\Program Files\??mbols
2007-11-12 16:54 --------- d-----w C:\Program Files\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??crosoft.NET
2007-11-12 16:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??crosoft
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?ystem
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?ppPatch
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?dobe
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?asks
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\?asks
2007-11-12 16:53 --------- d-----w C:\Program Files\Common Files\??sks
2007-11-12 16:53 --------- d-----w C:\Program Files\?ystem32
2007-11-12 16:53 --------- d-----w C:\Program Files\?ymbols
2007-11-12 16:53 --------- d-----w C:\Program Files\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Program Files\?dobe
2007-11-12 16:53 --------- d-----w C:\Program Files\?asks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?icrosoft.NET
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\?asks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??stem32
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??stem
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??sks
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??mbols
2007-11-12 16:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\??mantec
2007-10-30 15:09 --------- d-----w C:\Program Files\DivX
2007-10-30 14:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{188D46AD-BCED-447F-B20E-60F5CB32313C}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\{24A1CF26-2E6E-4375-B834-4B5524A92BF4}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{4D92E012-78E3-4CD6-A27C-186497D1056B}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{C21790DB-1E75-41C2-B1A2-71C0D2E9AEF2}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\system32\{C8405FC4-02DD-4CD2-AEAB-5A1BB4900910}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{F6225B7E-ACDF-4245-8EE2-F1A674B16F9F}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{AC887BC4-A887-455F-AA89-B2B3B71979B4}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 11:57]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 07:34]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 14:49]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-02-25 04:33]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"Blackmagic CheckVersion PCI"="C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe" [2006-04-10 15:05]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-14 23:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-15 14:05]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-07-02 13:31]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-03-17 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj]
pkyearhj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b]
rundll32.exe C:\WINDOWS\system32\ahhitmqb.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 BMDPDisk;BMDPDisk;C:\WINDOWS\system32\drivers\BMDPDisk.sys
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 BMDPBox;BMDPBox;C:\WINDOWS\system32\drivers\BMDPBox.sys
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 BMDDeckLinkAudio;BMDDeckLinkAudio;C:\WINDOWS\system32\DRIVERS\deckaud.sys
S3 BMDDeckLinkSerial;BMDDeckLinkSerial;C:\WINDOWS\system32\DRIVERS\deckser.sys
S3 DeckLink;DeckLink;C:\WINDOWS\system32\DRIVERS\DeckLink.sys
S3 DeckLinkDisplay;DeckLinkDisplay;C:\WINDOWS\system32\DRIVERS\deckmp.sys
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:20:10 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 09:41:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-10 9:43:18 - machine was rebooted
.
--- E O F --- 2007-11-14 14:05:22


Logfile of HijackThis v1.99.1
Scan saved at 9:45:37 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: efcbyax - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pkyearhj - pkyearhj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Attached Files
File Type: txt Combofix log.txt (23.0 KB, 3 views)
File Type: txt hijackthislog.txt (8.7 KB, 1 views)
Last edited by tetonbob; 12-10-2007 at 10:10 AM.
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2007, 10:29 AM   #4 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
Oops. sorry - didn't mean to paste AND attach...
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2007, 12:20 PM   #5 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Re: Vundo / mljji.dll infection
Hi bagofbeef

Can you tell me what happened on 2007-11-12, because what ever it was it created all these folders ??mantec and unfortunately you will have to delete them manually.

Please follow my instructions carefully and take your time

===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present. You will see the full name of the folder (??asks = tasks etc) If there are two folders of the same name right click on them and then click on properties ONLY delete folders that were created on 2007-11-12

  • C:\Program Files\Common Files\ ??sks
    C:\Program Files\ ??stem
    C:\Program Files\Common Files\ ?ssembly
    C:\Program Files\ ?ppPatch
    C:\Program Files\ ??sks
    C:\Program Files\?ppPatch
    C:\Program Files\ ?dobe
    C:\Program Files\ ??sks
    C:\Program Files\ ??crosoft.NET
    C:\Program Files\ ??crosoft
    C:\Documents and Settings\Administrator\Application Data\ ?icrosoft
    C:\Program Files\Common Files\ ?ymantec
    C:\Program Files\Common Files\ ??pPatch
    C:\Program Files\Common Files\ ??crosoft
    C:\Documents and Settings\Administrator\Application Data\ ??curity
    C:\Program Files\Common Files\ ?racle
    C:\Program Files\Common Files\ ?icrosoft.NET
    C:\Program Files\Common Files\ ?icrosoft
    C:\Program Files\Common Files\ ?ecurity
    C:\Program Files\Common Files\ ??mantec
    C:\Program Files\Common Files\ ??crosoft.NET
    C:\Program Files\ ?ecurity
    C:\Program Files\ ??stem32
    C:\Program Files\ ??pPatch
    C:\Program Files\ ??mantec
    C:\Program Files\ ??crosoft
    C:\Documents and Settings\Administrator\Application Data\ ?racle
    C:\Program Files\Common Files\ ?racle
    C:\Program Files\Common Files\ ?ppPatch
    C:\Program Files\Common Files\ ?icrosoft
    C:\Program Files\Common Files\ ?dobe
    C:\Program Files\Common Files\ ??stem
    C:\Program Files\Common Files\ ??sembly
    C:\Program Files\Common Files\ ??pPatch
    C:\Program Files\Common Files\ ??mbols
    C:\Program Files\ ?ymantec
    C:\Program Files\ ?ssembly
    C:\Program Files\ ?icrosoft.NET
    C:\Program Files\ ?icrosoft
    C:\Program Files\ ??sembly
    C:\Program Files\ ??curity
    C:\Program Files\Common Files\ ?ystem32
    C:\Program Files\Common Files\ ?ymbols
    C:\Program Files\Common Files\ ??stem32
    C:\Program Files\Common Files\ ??curity
    C:\Program Files\Common Files\ ??crosoft.NET
    C:\Program Files\Common Files\ ??crosoft
    C:\Program Files\ ?ystem
    C:\Program Files\ ?racle
    C:\Program Files\ ?racle
    C:\Program Files\ ?icrosoft
    C:\Program Files\ ?asks
    C:\Program Files\ ??pPatch
    C:\Program Files\ ??mbols
    C:\Program Files\ ??crosoft.NET
    C:\Documents and Settings\Administrator\Application Data\ ??crosoft.NET
    C:\Documents and Settings\Administrator\Application Data\ ??crosoft
    C:\Program Files\Common Files\ ?ystem
    C:\Program Files\Common Files\ ?ppPatch
    C:\Program Files\Common Files\ ?icrosoft.NET
    C:\Program Files\Common Files\ ?dobe
    C:\Program Files\Common Files\ ?asks
    C:\Program Files\Common Files\ ?asks
    C:\Program Files\Common Files\ ??sks
    C:\Program Files\ ?ystem32
    C:\Program Files\ ?ymbols
    C:\Program Files\ ?icrosoft.NET
    C:\Program Files\ ?dobe
    C:\Program Files\ ?asks
    C:\Documents and Settings\Administrator\Application Data\ ?icrosoft.NET
    C:\Documents and Settings\Administrator\Application Data\ ?asks
    C:\Documents and Settings\Administrator\Application Data\ ??stem32
    C:\Documents and Settings\Administrator\Application Data\ ??stem
    C:\Documents and Settings\Administrator\Application Data\ ??sks
    C:\Documents and Settings\Administrator\Application Data\ ??mbols
    C:\Documents and Settings\Administrator\Application Data\ ??mantec


===============================================

REBOOT TO NORMAL MODE

=================

Open notepad and carefully copy/paste all the text in the code box below into it:


Code:
File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ahhitmqb.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbyax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkyearhj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\53062b4b]

DirLook::
C:\Documents and Settings\Administrator\.java
C:\WINDOWS\system32\_suspicious_files
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:
  • ComboFix.txt
  • HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
Last edited by alba; 12-10-2007 at 12:23 PM.
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2007, 01:47 PM   #6 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
I'm not sure if I'll get a chance to post the Kaspersky log today. The scan is at 1%, and it's been going for about 20 minutes or so -- to this point, it's found 16 viruses, 95 infected objects, and 2 suspicious objects. Again, I'll post the full log tomorrow, along with the ComboFix log and the HijackThis log. Thanks again.
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2007, 07:00 AM   #7 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
OK. Not sure what happened on 11-12. Nothing that I can remember that would have created all of those duplicate folders, anyway. At any rate, I booted into safe mode, deleted the empty duplicate folders that were created on that date, and then ran ComboFix, Kaspersky, and HijackThis. Logs attached.
Attached Files
File Type: txt ComboFix log.txt (16.2 KB, 2 views)
File Type: txt Kaspersky log.txt (180.5 KB, 1 views)
File Type: txt hijackthis log.txt (8.7 KB, 2 views)
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2007, 09:58 AM   #8 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Re: Vundo / mljji.dll infection
Hi bagofbeef

Did you download anything on that day we dont judge but it would be interesting to know where the infection came from


in future please copy/paste your logs into your reply when you attach them it makes it harder to read the logs and takes much longer to prepare a fix for you



We are nearly there so lets get going.

I have asked you to remove CuteFTP because it is infected with adware see Here
for more info
---------------------------------------

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

=================

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
  • Web Buying
  • CuteFTP

=================

Okay same as last time, you can try deleting them from normal mode first, this should be them all just take your time and check duplicate folders for the creation date 2007-11-12

Locate and delete the following folders, if present:

  • C:\WINDOWS\system32\ s?mbols
    C:\WINDOWS\ ?racle
    C:\WINDOWS\ ?ymantec
    C:\WINDOWS\system32\ a?sembly
    C:\WINDOWS\ ?racle
    C:\WINDOWS\system32\ A?pPatch
    C:\WINDOWS\system32\ ?racle
    C:\WINDOWS\ ?icrosoft
    C:\WINDOWS\ M?crosoft
    C:\WINDOWS\system32\ ?racle
    C:\WINDOWS\system32\ ?icrosoft.NET
    C:\WINDOWS\system32\ s?mbols
    C:\WINDOWS\system32\ S?mantec
    C:\WINDOWS\ s?mbols
    C:\WINDOWS\system32\ ?asks
    C:\WINDOWS\ M?crosoft
    C:\WINDOWS\ ?dobe
    C:\Program Files\ W?nSxS
    C:\Program Files\Common Files\ W?nSxS

============================================



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open notepad and carefully copy/paste all the text in the code box below into it:


Code:
File::
C:\Downloads\cUTE ftp\CUTE4032.EXE

Folder::
C:\WINDOWS\system32\_suspicious_files
C:\Program Files\Web Buying
C:\Program Files\GlobalSCAPE

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================

Please empty your recycle bin and spybots recovery folder

I see you have been to bitdefender online scan please go there again and do another scan

Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply


=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:
  • ComboFix.txt
  • Bitdefender report
  • HiJackThis
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
Last edited by alba; 12-11-2007 at 10:04 AM.
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2007, 10:51 AM   #9 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
All righty:

I removed CuteFTP.

I deleted the 11-12 folders in normal mode, and then went to safe mode to see if they'd come back. They did. So I deleted them in safe mode.

Went back to normal mode and ran ComboFix.

I emptied the recycle bin and purged SpyBot's recovery folder -- I assume that this is done within the program -- I didn't see any 'Recovery' directory in \Program Files\Spybot. So I opened the program, clicked the recovery tab, selected all of the items, and clicked 'purge'.

I went to start the BitDefender scan, and got this:



I just canceled out of it.
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2007, 10:59 AM   #10 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
I tried BitDefender again, and it just went right into scanning, without asking me to download the definitions. I'm just letting it run. (I'm posting this reply from a different machine).
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-11-2007, 12:44 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
OK, BitDefender's all done. I saved the results as a .txt file, but it was obviously formatted html, so I'm going to upload it as well.



***********
ComboFix
*************

ComboFix 07-12-10.2 - Administrator 2007-12-11 12:33:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2602 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Downloads\cUTE ftp\CUTE4032.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\cUTE ftp\CUTE4032.EXE
C:\Program Files\GlobalSCAPE
C:\Program Files\GlobalSCAPE\CuteFTP\unwise32.exe
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.cnt
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.exe
C:\Program Files\GlobalSCAPE\CuteHTML\cutehtml.hlp
C:\Program Files\GlobalSCAPE\CuteHTML\cutetips.txt
C:\Program Files\GlobalSCAPE\CuteHTML\html.txt
C:\Program Files\GlobalSCAPE\CuteHTML\INSTALL2.LOG
C:\Program Files\GlobalSCAPE\CuteHTML\tagtips.dat
C:\Program Files\GlobalSCAPE\CuteHTML\unreg.exe
C:\Program Files\GlobalSCAPE\CuteHTML\unwise32.exe
C:\WINDOWS\system32\_suspicious_files
C:\WINDOWS\system32\_suspicious_files\17PHolmes1000106.exe
C:\WINDOWS\system32\_suspicious_files\17PHolmes572.exe
C:\WINDOWS\system32\_suspicious_files\acrrpwbc.dll
C:\WINDOWS\system32\_suspicious_files\bqmtihha.ini
C:\WINDOWS\system32\_suspicious_files\bteyeaih.ini
C:\WINDOWS\system32\_suspicious_files\cbwprrca.ini
C:\WINDOWS\system32\_suspicious_files\cllrunnm.ini
C:\WINDOWS\system32\_suspicious_files\cryowowh.dll
C:\WINDOWS\system32\_suspicious_files\esuoikps.dll
C:\WINDOWS\system32\_suspicious_files\fhckvtwb.dll
C:\WINDOWS\system32\_suspicious_files\grkkpthm.dll
C:\WINDOWS\system32\_suspicious_files\mhtpkkrg.ini
C:\WINDOWS\system32\_suspicious_files\mnnurllc.dll
C:\WINDOWS\system32\_suspicious_files\ofwavrob.dll
C:\WINDOWS\system32\_suspicious_files\oynmfrkp.ini
C:\WINDOWS\system32\_suspicious_files\qodopxrq.dll
C:\WINDOWS\system32\_suspicious_files\qrxpodoq.ini
C:\WINDOWS\system32\_suspicious_files\qyahbdav.ini
C:\WINDOWS\system32\_suspicious_files\rbliryih.dll
C:\WINDOWS\system32\_suspicious_files\rejordot.ini
C:\WINDOWS\system32\_suspicious_files\todrojer.dll
C:\WINDOWS\system32\_suspicious_files\vadbhayq.dll
C:\WINDOWS\system32\_suspicious_files\winshow.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 15:44 . 2007-12-10 15:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-10 15:44 . 2007-12-10 15:44 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-10 14:59 . 2007-12-10 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-12-04 14:33 . 2007-12-04 14:33 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-12-04 12:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 12:28 . 2007-12-04 12:28 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2007-11-28 09:38 . 2007-12-10 12:22 <DIR> d-------- C:\OMFI MediaFiles
2007-11-27 16:51 . 2007-12-06 14:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-20 09:11 . 2007-11-26 15:55 <DIR> d-------- C:\VundoFix Backups
2007-11-14 12:21 . 2007-12-04 12:35 10,676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-14 12:21 . 2007-12-04 12:35 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-14 12:02 . 2007-11-14 12:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 14:22 . 2007-11-13 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:43 . 2007-11-13 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-13 12:42 . 2007-11-13 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-13 09:00 . 2007-11-13 09:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-12 14:59 . 2007-11-12 14:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Program Files\Nero
2007-11-12 14:46 . 2007-11-12 14:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-12 14:46 . 2007-11-12 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-12 11:52 . 2007-12-11 08:58 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 17:28 0 ----a-w C:\WINDOWS\system32\drivers\WFTDriverLog.txt
2007-12-09 01:20 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-04 17:37 --------- d-----w C:\Program Files\Google
2007-12-04 17:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-04 17:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-04 17:35 --------- d-----w C:\Program Files\Symantec
2007-12-04 17:32 --------- d-----w C:\Program Files\Java
2007-10-30 15:09 --------- d-----w C:\Program Files\DivX
2007-10-30 14:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 14:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{188D46AD-BCED-447F-B20E-60F5CB32313C}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\{24A1CF26-2E6E-4375-B834-4B5524A92BF4}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\{4D92E012-78E3-4CD6-A27C-186497D1056B}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{C21790DB-1E75-41C2-B1A2-71C0D2E9AEF2}.dat
2005-09-22 17:35 32 --sha-w C:\WINDOWS\system32\{C8405FC4-02DD-4CD2-AEAB-5A1BB4900910}.dat
2005-09-22 17:34 32 --sha-w C:\WINDOWS\system32\{F6225B7E-ACDF-4245-8EE2-F1A674B16F9F}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_ 9.42.45.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-12-10 14:40:58 14,098 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2007-12-11 17:29:16 14,098 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{AC887BC4-A887-455F-AA89-B2B3B71979B4}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 11:57]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 07:34]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 14:49]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-02-25 04:33]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"Blackmagic CheckVersion PCI"="C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe" [2006-04-10 15:05]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-14 23:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-15 14:05]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-07-02 13:31]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-03-17 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=C:\WINDOWS\pss\UMAX VistaAccess.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Getting Started with MacDrive 5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Getting Started with MacDrive 5.lnk
backup=C:\WINDOWS\pss\Getting Started with MacDrive 5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]

R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 Flamethrower;Flamethrower;C:\WINDOWS\system32\drivers\Flamethrower.sys
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 BMDPDisk;BMDPDisk;C:\WINDOWS\system32\drivers\BMDPDisk.sys
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 BMDPBox;BMDPBox;C:\WINDOWS\system32\drivers\BMDPBox.sys
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 BMDDeckLinkAudio;BMDDeckLinkAudio;C:\WINDOWS\system32\DRIVERS\deckaud.sys
S3 BMDDeckLinkSerial;BMDDeckLinkSerial;C:\WINDOWS\system32\DRIVERS\deckser.sys
S3 DeckLink;DeckLink;C:\WINDOWS\system32\DRIVERS\DeckLink.sys
S3 DeckLinkDisplay;DeckLinkDisplay;C:\WINDOWS\system32\DRIVERS\deckmp.sys
S3 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:20:10 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 12:35:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-11 12:35:47
C:\ComboFix2.txt ... 2007-12-10 14:56
C:\ComboFix3.txt ... 2007-12-10 09:43
.
--- E O F --- 2007-11-14 14:05:22


************
HiJackThis

**************

Logfile of HijackThis v1.99.1
Scan saved at 2:31:57 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Blackmagic CheckVersion PCI] C:\Program Files\Blackmagic Design\Blackmagic DeckLink\CheckVersionPCI.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


**********
Bit Defender
***********
BitDefender Online Scanner







Scan report generated at: Tue, Dec 11, 2007 - 14:18:49









Scan path: C:\;D:\;E:\;J:\;K:\;















Statistics

Time


01:28:09

Files


524380

Folders


14302

Boot Sectors


6

Archives


7791

Packed Files


60713







Results

Identified Viruses


7

Infected Files


22

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


33







Engines Info

Virus Definitions


873675

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


14

Archive plugins


38

Unpack plugins


7

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580001.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580004.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580005.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580006.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07580007.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)


Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000A.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)


Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000B.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000C.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0758000D.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69783

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08B80000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)


Infected with: Trojan.Generic.69276

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)


Infected with: Trojan.BHO.AW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB80000.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Detected with: Adware.TTC.B

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)=>zlib_nsis0003


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB00000.VBN=>(Quarantine-PE)=>(NSIS o)


Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)


Infected with: Trojan.Clicker.MNB

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN=>(Quarantine-PE)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)


Infected with: Trojan.Clicker.MNB

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540001.VBN=>(Quarantine-PE)


Deleted

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir


Infected with: Trojan.Generic.73139

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir


Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\system32\_suspicious_files\winshow.exe.vir


Deleted

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir


Infected with: Trojan.Small.WY

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir


Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir


Deleted

C:\RECYCLER\NPROTECT\00000773


Infected with: Trojan.Small.WY

C:\RECYCLER\NPROTECT\00000773


Disinfection failed

C:\RECYCLER\NPROTECT\00000773


Deleted

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs


Infected with: Trojan.Small.WY

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs


Disinfection failed

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP2\A0000279.vbs


Deleted

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe


Infected with: Trojan.Generic.73139

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe


Disinfection failed

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000616.exe


Deleted

K:\OMFI MediaFiles\NotanOptV01.473DB668.4E2130.omf


Clean

K:\OMFI MediaFiles\note paper.tif11940472B194A.omf


Clean

K:\OMFI MediaFiles\OBSESSION W-TAG.mp347386ABF.aif


Clean

K:\OMFI MediaFiles\OBSESSION W-TAG47386ABF.1.aif


Clean

K:\OMFI MediaFiles\Ola in the office (46FBB1BA.omf


Clean

K:\OMFI MediaFiles\Ola in the office (46FBB1F8.omf


Clean

K:\OMFI MediaFiles\om04013.mp3.A147571B7A.aif


Clean

K:\OMFI MediaFiles\om04013.mp3.A247571B7A.aif


Clean

K:\OMFI MediaFiles\om04014.mp3.A147571B86.aif


Clean

K:\OMFI MediaFiles\om04014.mp3.A247571B86.aif


Clean

K:\OMFI MediaFiles\om08703.mp3.A147571B8D.aif


Clean

K:\OMFI MediaFiles\om08703.mp3.A247571B8E.aif


Clean

K:\OMFI MediaFiles\om08713.mp3.A147571B93.aif


Clean

K:\OMFI MediaFiles\om08713.mp3.A247571B93.aif


Clean

K:\OMFI MediaFiles\om08718.mp3.A147571B99.aif


Clean

K:\OMFI MediaFiles\om08718.mp3.A247571B99.aif


Clean

K:\OMFI MediaFiles\om13707.waA01.4741D4741D748.aif


Clean

K:\OMFI MediaFiles\om13707.waA02.4741D4741D748.aif


Clean

K:\OMFI MediaFiles\om14715.waA01.46FA646FA6D2C.aif


Clean

K:\OMFI MediaFiles\om14715.waA02.46FA646FA6D2C.aif


Clean

K:\OMFI MediaFiles\om16322.waA01.4758647586F6E.aif


Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E82.aif


Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E83.aif


Clean

K:\OMFI MediaFiles\om16322.waA01.4759547595E83.aif=>REMOVED_NULLS


Clean

K:\OMFI MediaFiles\om16322.waA02.4758647586F6E.aif


Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E82.aif


Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E83.aif


Clean

K:\OMFI MediaFiles\om16322.waA02.4759547595E83.aif=>REMOVED_NULLS


Clean

K:\OMFI MediaFiles\om16505.mpA01.4758647586F79.aif


Clean

K:\OMFI MediaFiles\om16505.mpA01.4759547595E83.aif


Clean

K:\OMFI MediaFiles\om16505.mpA02.4758647586F79.aif


Clean

K:\OMFI MediaFiles\om16505.mpA02.4759547595E83.aif


Clean

K:\OMFI MediaFiles\om16514.waA01.46E0646E069B8.aif


Clean

K:\OMFI MediaFiles\om16514.waA01.46FA646FA6D31.aif


Clean

K:\OMFI MediaFiles\om16514.waA02.46E0646E069B9.aif


Clean

K:\OMFI MediaFiles\om16514.waA02.46FA646FA6D31.aif


Clean

K:\OMFI MediaFiles\om16703.waA01.474C8474C8CE4.aif


Clean

K:\OMFI MediaFiles\om16703.waA01.4758647586F93.aif


Clean

K:\OMFI MediaFiles\om16703.waA01.4759547595E84.aif


Clean

K:\OMFI MediaFiles\om16703.waA01.4759547595E86.aif


Clean

K:\OMFI MediaFiles\om16703.waA02.474C8474C8CE4.aif


Clean

K:\OMFI MediaFiles\om16703.waA02.4758647586F93.aif


Clean

K:\OMFI MediaFiles\om16703.waA02.4759547595E84.aif


Clean

K:\OMFI MediaFiles\om16703.waA02.4759547595E86.aif


Clean

K:\OMFI MediaFiles\om16704.waA01.474C8474C8CFB.aif


Clean

K:\OMFI MediaFiles\om16704.waA01.4758647586FA6.aif


Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E86.aif


Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E88.aif


Clean

K:\OMFI MediaFiles\om16704.waA01.4759547595E88.aif=>REMOVED_NULLS


Clean

K:\OMFI MediaFiles\om16704.waA02.474C8474C8CFB.aif


Clean

K:\OMFI MediaFiles\om16704.waA02.4758647586FA6.aif


Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E86.aif


Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E88.aif


Clean

K:\OMFI MediaFiles\om16704.waA02.4759547595E88.aif=>REMOVED_NULLS


Clean

K:\OMFI MediaFiles\om16705.waA01.474C8474C8D17.aif


Clean

K:\OMFI MediaFiles\om16705.waA02.474C8474C8D17.aif


Clean

K:\OMFI MediaFiles\om16714.waA01.474C8474C8D2E.aif


Clean

K:\OMFI MediaFiles\om16714.waA02.474C8474C8D2E.aif


Clean

K:\OMFI MediaFiles\om16717.waA01.474C8474C8D46.aif


Clean

K:\OMFI MediaFiles\om16717.waA02.474C8474C8D46.aif


Clean

K:\OMFI MediaFiles\om16718.waA01.474C8474C8D5C.aif


Clean

K:\OMFI MediaFiles\om16718.waA02.474C8474C8D5C.aif


Clean

K:\OMFI MediaFiles\opportunity1190664146F817C2.omf


Clean

K:\OMFI MediaFiles\opportunity11906646F817C2.0.omf


Clean

K:\OMFI MediaFiles\OTHER1190664679V046F819E7.omf


Clean

K:\OMFI MediaFiles\OTHER1190664680V046F819E8.omf


Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1146E168D4.omf


Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1146E168E9.omf


Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1147307D4F.omf


Clean

K:\OMFI MediaFiles\Palio slate 1.bmp1147307D52.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C68.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C6A.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C8F.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C91.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dip to473E0C93.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C65.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C66.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C6A.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Dissol473E0C6C.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473A006E.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0CC4.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D01.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D04.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D5C.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E0D60.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade f473E106C.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Fade t473E0CC5.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0A8C.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0C96.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0CA7.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0CB5.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0D8D.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E0FD8.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Matte 473E10DD.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0B31.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0CC7.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0CC8.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D05.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D9E.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0D9F.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E0FEB.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E1070.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Submas473E10E4.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0A80.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0C42.omf


Clean

K:\OMFI MediaFiles\Part 1 cut 2_Title_473E0C4B.omf


Clean




********************
Attached Files
File Type: txt ComboFix.txt (13.2 KB, 1 views)
File Type: txt BitDefender log.txt (62.2 KB, 1 views)
File Type: txt hijackthis.txt (8.7 KB, 0 views)
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-12-2007, 12:16 AM   #12 (permalink)
Analyst, Security Team
 
alba's Avatar
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Re: Vundo / mljji.dll infection
Hi bagofbeef

Your logs are clean well done!

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

You can also empty Nortons quarantine
==========================


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

* It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.



IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER


*Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

===================================

Follow the list above and the potential for infection will reduce dramatically.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________


Member of UNITE

If I have helped you in anyway, please DONATE to TSF Go raibh maith agat
Last edited by alba; 12-12-2007 at 12:19 AM.
alba is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-12-2007, 08:10 AM   #13 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 10
OS: Windows XP w/SP2


Re: Vundo / mljji.dll infection
Great! Thanks for all of the help, and the links to the anti-spyware stuff.
bagofbeef is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:22 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85