View Full Version : Please help - Trojans "downloader"
ravenglade
2007-11-27, 14:45
Ok, so I see trojans on my box, scanning and quarantined with antivirus (AVG and Spyware Doctor), but they keep comming back every time. Here is my Kaspersky Scan:
I really need some advice.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 8:33:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 466122
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
V:\
W:\
X:\
Y:\
Scan Statistics:
Total number of scanned objects: 266077
Number of viruses found: 11
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 06:11:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\cert8.db Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\history.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\key3.db Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\parent.lock Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\search.sqlite Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\mmussleman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mmussleman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0283NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0919NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP424\A0119487.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121697.exe Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121698.exe Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121700.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121717.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121718.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121719.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121720.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121721.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121722.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP427\change.log Object is locked skipped
C:\WINDOWS\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{12CDFC64-A71C-458C-88A8-D3214C1F5647}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\atwnyndi.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\byxvwtt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\byxwxww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\ccbdewop.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\i2\mper83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\i2\mper83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\mljjhij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
C:\WINDOWS\system32\mljjkij.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\nybgwjvd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\qomjkjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\rMa06yy\rMa06yy1083.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\tuvvstu.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wvuvwwx.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\Temp\hlktmp Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
V:\Archive\Marketing\other\Marketing Dept\Presentation\Webster Presentation .ppt Object is locked skipped
W:\MFG DWG\- CANOPY\52 x 108 arched canopy\layout.dwg Object is locked skipped
W:\MFG DWG\- CANOPY\52 x 108 arched canopy\layout.dwl Object is locked skipped
W:\MFG DWG\- CANOPY\Gabled Roof\20668.dwl Object is locked skipped
X:\Pi3502\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
Scan process completed.
Simon V.
2007-11-27, 17:00
Hello, and welcome to the forum.
My name is Simon V., and I'll be glad to help you with your computer problems.
Looks like you have a Vundo infection. The first step in the cleaning process is to make a HijackThis log:
Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your desktop.
Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Post the contents of the file back here.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
ravenglade
2007-11-27, 17:25
Simon, you have my gratitude. Here is my Hijack scan
Logfile of HijackThis v1.99.1
Scan saved at 11:23:57 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\tyvbvbjp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Corel\Corel Graphics 12\PROGRAMS\CORELDRW.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atwnyndi.dll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\MMUSSL~1\LOCALS~1\Temp\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{BF-F5-59-99-ZN}] C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tyvbvbjp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Simon V.
2007-11-27, 17:37
Hi :)
Can you tell me whether this is a home computer, or a work/school computer?
ravenglade
2007-11-27, 17:37
I'm at work
Simon V.
2007-11-27, 17:51
Hi :)
Step 1
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1). Double-click on ATF-Cleaner.exe to start the program.
Under the Main tab, put a check next to Select All.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Firefox browser:
Click on Firefox at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Opera browser:
Click on Opera at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
Step 2
Please download Combofix:
From BleepingComputer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
From TechSupport (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.
Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.
Note: Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, press Ctrl, Alt and Del at the same time and, under the Processes tab, end any processes of findstr, find, sed or swreg, then Combofix should continue. If that happened I'd like to know and what process you had to end.
Step 3
Please download and install CCleaner (http://www.ccleaner.com/download/builds/downloading-slim).
Open CCleaner. In the Left Pane, click Tools.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save.
Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.
Step 4
In your next reply, please post:
the Combofix log (C:\Combofix.txt)
the CCleaner Uninstall List (install.txt)
a new HijackThis log
Simon V.
2007-11-27, 18:00
I'm sorry, I forgot a step. Before running Combofix, do the following:
Please disable TeaTimer, as it may interfere with the fix. This is done in two steps:
First step: Right-click the Spybot icon in your system tray (looks like a blue and white calendar with a padlock symbol).
For version 1.5: Click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the system tray should now be colorless.
For version 1.4: Click on Exit Spybot S&D Resident.
Second step: Open Spybot Search & Destroy.
Click Mode, choose Advanced Mode. When prompted, answer Yes.
Go to the bottom of the vertical panel to the left, click Tools.
Click Resident (a white and red shield, located in the panel to the left).
If your firewall gives you a warning, allow it.
Uncheck the box labeled Resident "Tea-Timer" (Protection of over-all system settings) active.
OK any prompts.
Go to File > Exit to close Spybot Search & Destroy.
Reboot your computer for the changes to take effect.
Note: Be sure to enable TeaTimer when you are clean!
Please disable Spyware Doctor OnGuard, as it may interfere with the fix.
From within Spyware Doctor, click the OnGuard button on the left side.
Uncheck Activate OnGuard.
Reboot your computer to complete the process.
Note: Be sure to enable Spyware Doctor OnGuard when you are clean!
ravenglade
2007-11-27, 19:50
here we go:
ComboFix log:
ComboFix 07-11-19.4 - mmussleman 2007-11-27 13:23:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.458 [GMT -5:00]
Running from: C:\Documents and Settings\mmussleman\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mmussleman\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\atwnyndi.dllbox
C:\WINDOWS\system32\jkhfd.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-27 08:49 85,056 --a------ C:\WINDOWS\system32\ptegdfcc.dll
2007-11-27 08:45 78,912 --a------ C:\WINDOWS\system32\xcpqljxa.dll
2007-11-27 08:45 71,232 --a------ C:\WINDOWS\system32\tyvbvbjp.exe
2007-11-26 16:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-11-26 16:09 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\Apple Computer
2007-11-26 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 14:02 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-26 14:02 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\PC Tools
2007-11-26 14:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-26 14:02 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-26 14:02 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-26 14:02 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-26 14:02 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-26 08:54 80,960 --a------ C:\WINDOWS\system32\jhvdaers.dll
2007-11-26 08:52 <DIR> d-------- C:\Temp\abW9
2007-11-26 08:52 38,912 --a------ C:\WINDOWS\system32\tuvvstu.dll
2007-11-26 08:52 35,840 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-26 08:51 85,056 --a------ C:\WINDOWS\system32\nybgwjvd.dll
2007-11-26 08:48 38,912 --a------ C:\WINDOWS\system32\mljjkij.dll
2007-11-26 08:47 38,912 --a------ C:\WINDOWS\system32\wvuvwwx.dll
2007-11-26 08:44 <DIR> d-------- C:\WINDOWS\system32\rMa06yy
2007-11-21 16:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-21 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-21 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 15:04 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-21 14:35 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-21 14:35 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-21 14:35 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-21 14:35 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-21 11:21 36,864 --a------ C:\WINDOWS\system32\qomjkjj.dll
2007-11-21 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-21 11:08 36,352 --a------ C:\WINDOWS\system32\mljjhij.dll
2007-11-21 11:07 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-21 11:07 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-16 12:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-09 16:31 <DIR> d-------- C:\Program Files\Dassault Systemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\DassaultSystemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2007-11-09 16:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-09 16:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-11-07 08:55 <DIR> d-------- C:\FlexLM
2007-11-07 08:47 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-11-07 08:47 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-11-07 08:47 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-11-07 08:47 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2007-11-07 08:47 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2007-11-07 08:47 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-11-07 08:47 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-11-07 08:47 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP
2007-11-07 08:47 7,328 --a------ C:\WINDOWS\system32\drivers\ds1410d.sys
2007-11-07 08:44 <DIR> d-------- C:\Program Files\Autodesk
2007-11-07 08:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Avery Wizard 3.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 18:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-27 15:04 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\AVG7
2007-11-26 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-26 13:43 145,984 ----a-w C:\WINDOWS\system32\atwnyndi.dll
2007-11-26 13:42 145,984 ----a-w C:\WINDOWS\system32\ccbdewop.dll
2007-11-21 16:25 36,864 ----a-w C:\WINDOWS\system32\byxwxww.dll
2007-11-21 16:22 36,864 ----a-w C:\WINDOWS\system32\byxvwtt.dll
2007-11-21 16:10 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\uTorrent
2007-11-07 13:47 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2007-11-07 13:35 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-12 20:46 --------- d-----w C:\Program Files\FileZilla Client
2007-10-10 14:13 --------- d-----w C:\Program Files\ZC2.10
2005-09-06 19:50 56 --sh--r C:\WINDOWS\system32\2D078FCBD5.sys
2007-04-10 20:44 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-21 11:08 36352 --a------ C:\WINDOWS\system32\mljjhij.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-26 08:43 145984 --a------ C:\WINDOWS\system32\atwnyndi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be1d0f20-1e5a-4a0e-bcc7-948b384b63bc}]
2007-11-27 08:45 78912 --a------ C:\WINDOWS\system32\xcpqljxa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\atwnyndi.dll [2007-11-26 08:43 145984]
[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 12:20]
"{BF-F5-59-99-ZN}"="C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe" []
"4c1bf536"="C:\WINDOWS\system32\ptegdfcc.dll" [2007-11-27 08:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-06 09:19]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-04-30 12:48]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\mljjhij.dll [2007-11-21 11:08 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atwnyndi]
atwnyndi.dll 2007-11-26 08:43 145984 C:\WINDOWS\system32\atwnyndi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhij]
mljjhij.dll 2007-11-21 11:08 36352 C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\system32\NavLogon.dll 2006-05-26 20:02 43760 C:\WINDOWS\system32\NavLogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-29 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 12:02 53408 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-09-16 07:43 274432 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
2001-11-16 20:23 135168 --a------ C:\Program Files\RMClient\JobHisInit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2000-11-04 20:09 40960 --a------ C:\Program Files\RMClient\MplSetUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2006-08-18 13:06 315392 --a------ C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2006-08-25 11:25 3112960 --a------ C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 17:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-05-26 20:01 124656 --a------ C:\PROGRA~1\SYMANT~1\VPTray.exe
R2 NLCSAgent;NLCS Agent;C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 13:37:00
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 13:39:55 - machine was rebooted
.
--- E O F ---
CCleaner Install Log
3ds max 7
3ds max 7 Additional Maps and Materials
3ds max 7 Architectural Materials
3ds max 7 Reference Files
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.9 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AiO_Scan
ATI Control Panel
ATI Display Driver
Autodesk DirectConnect 2.0
Avery Wizard 3.1
AVG 7.5
AVG Anti-Spyware 7.5
Broadcom Advanced Control Suite
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
CCleaner (remove only)
CorelDRAW Graphics Suite 12
Dassault Systemes Software Prerequisites x86
FileZilla Client 3.0.1
Free DWG Viewer 5.4
Google Earth
HijackThis 1.99.1
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
LiveUpdate 3.0 (Symantec Corporation)
MAS 200 Workstation
Maya 2008
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
NVIDIA Photoshop Plug-ins
OMCI
PDF Settings
PowerISO
QFolder
QuickTime
RealPlayer
Scan
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SmartFTP Client
SmartNetMonitor for Client
Spybot - Search & Destroy
Spyware Doctor 5.1
Symantec AntiVirus
TMASOEDL
TMASOLDL
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Virtual Earth - 3DVIA (Technology Preview)
Virtual Earth 3D (Beta)
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Xerox Support Centre
Yahoo! Messenger
Zelda Classic 2.10w
ravenglade
2007-11-27, 19:51
New HijackThis Scan:
Logfile of HijackThis v1.99.1
Scan saved at 13:45, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\mljjhij.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atwnyndi.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {cb36b483-b849-7ccb-e0a4-a5e102f0d1eb} - {be1d0f20-1e5a-4a0e-bcc7-948b384b63bc} - C:\WINDOWS\system32\xcpqljxa.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atwnyndi.dll
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{BF-F5-59-99-ZN}] C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O20 - Winlogon Notify: atwnyndi - C:\WINDOWS\SYSTEM32\atwnyndi.dll
O20 - Winlogon Notify: mljjhij - C:\WINDOWS\SYSTEM32\mljjhij.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Simon V.
2007-11-27, 20:33
Hi :)
Step 1
Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\ptegdfcc.dll
C:\WINDOWS\system32\xcpqljxa.dll
C:\WINDOWS\system32\tyvbvbjp.exe
C:\WINDOWS\system32\jhvdaers.dll
C:\WINDOWS\system32\tuvvstu.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\nybgwjvd.dll
C:\WINDOWS\system32\mljjkij.dll
C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\atwnyndi.dll
C:\WINDOWS\system32\ccbdewop.dll
C:\WINDOWS\system32\byxwxww.dll
C:\WINDOWS\system32\byxvwtt.dll
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\mrofinu572.exe.tmp
Folder::
C:\Temp\abW9
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\i2
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be1d0f20-1e5a-4a0e-bcc7-948b384b63bc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"io43mvuiw4kj"=-
"{BF-F5-59-99-ZN}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atwnyndi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhij]
Click on File > Save as....
In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)
Click Save.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.
Step 2
Your Java software is out of date. Follow these instructions to update it:
Go to Start and click on Control Panel, then double-click on Add or Remove Programs.
Search for previously installed versions of Java (J2SE Runtime Environment), and remove it. It should have this icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Then download and install Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp).
Step 3
In your next reply, please post:
the Combofix log (C:\Combofix.txt)
a new HijackThis log
How is everything running now?
ravenglade
2007-11-27, 21:58
Things are running a lot better! I haven't had a popup since restart yet. I did however get a DDL error:
RUNDLL
C:\windows\system32\ptegdfcc.dll
The specified module could not be found.
Also... some simple stuff seems to be broke, such as my calculator and wordpad (notepad is fine).
Without further delay, here is my new ComboFix log:
ComboFix 07-11-19.4 - mmussleman 2007-11-27 15:05:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.341 [GMT -5:00]
Running from: C:\Documents and Settings\mmussleman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mmussleman\Desktop\CFScript.txt
FILE
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\atwnyndi.dll
C:\WINDOWS\system32\byxvwtt.dll
C:\WINDOWS\system32\byxwxww.dll
C:\WINDOWS\system32\ccbdewop.dll
C:\WINDOWS\system32\jhvdaers.dll
C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\system32\mljjkij.dll
C:\WINDOWS\system32\nybgwjvd.dll
C:\WINDOWS\system32\ptegdfcc.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\tuvvstu.dll
C:\WINDOWS\system32\tyvbvbjp.exe
C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\xcpqljxa.dll
C:\WINDOWS\TTC-4444.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mmussleman\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Favorites\Online Security Guide.lnk
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\atwnyndi.dll
C:\WINDOWS\system32\atwnyndi.dllbox
C:\WINDOWS\system32\byxvwtt.dll
C:\WINDOWS\system32\byxwxww.dll
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\ccbdewop.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jhvdaers.dll
C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\system32\mljjkij.dll
C:\WINDOWS\system32\nybgwjvd.dll
C:\WINDOWS\system32\ptegdfcc.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\rMa06yy\rMa06yy1083.exe
C:\WINDOWS\system32\tuvvstu.dll
C:\WINDOWS\system32\tyvbvbjp.exe
C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\xcpqljxa.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.
2007-11-26 16:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-11-26 16:09 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\Apple Computer
2007-11-26 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 14:02 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-26 14:02 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\PC Tools
2007-11-26 14:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-26 08:51 780,579 ---hs---- C:\WINDOWS\system32\dvjwgbyn.ini
2007-11-21 16:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-21 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 15:04 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-21 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-09 16:31 <DIR> d-------- C:\Program Files\Dassault Systemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\DassaultSystemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2007-11-09 16:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-09 16:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-11-07 08:55 <DIR> d-------- C:\FlexLM
2007-11-07 08:47 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-11-07 08:47 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-11-07 08:47 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP
2007-11-07 08:47 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-11-07 08:47 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-11-07 08:44 <DIR> d-------- C:\Program Files\Autodesk
2007-11-07 08:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-11-07 08:34 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-07 08:34 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Avery Wizard 3.1
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 20:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-27 15:04 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\AVG7
2007-11-26 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 16:10 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\uTorrent
2007-11-07 13:47 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-11-07 13:35 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-18 05:16 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-18 05:16 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-18 05:15 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-18 05:14 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-12 20:46 --------- d-----w C:\Program Files\FileZilla Client
2007-10-10 14:13 --------- d-----w C:\Program Files\ZC2.10
2005-09-06 19:50 56 --sh--r C:\WINDOWS\system32\2D078FCBD5.sys
2007-04-10 20:44 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4c1bf536"="C:\WINDOWS\system32\ptegdfcc.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-06 09:19]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-04-30 12:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhij]
mljjhij.dll
C:\WINDOWS\system32\NavLogon.dll 2006-05-26 20:02 43760 C:\WINDOWS\system32\NavLogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeda.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-29 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 12:02 53408 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-09-16 07:43 274432 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
2001-11-16 20:23 135168 --a------ C:\Program Files\RMClient\JobHisInit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2000-11-04 20:09 40960 --a------ C:\Program Files\RMClient\MplSetUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2006-08-18 13:06 315392 --a------ C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2006-08-25 11:25 3112960 --a------ C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 17:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-05-26 20:01 124656 --a------ C:\PROGRA~1\SYMANT~1\VPTray.exe
R2 NLCSAgent;NLCS Agent;C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
*Newly Created Service* - ERASERUTILDRVI1
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 15:25:48
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 15:27:34 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 13:39
.
--- E O F ---
ravenglade
2007-11-27, 22:00
and my new HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 15:56, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Corel\Corel Graphics 12\Programs\CorelDRW.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O20 - Winlogon Notify: mljjhij - mljjhij.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Simon V.
2007-11-27, 22:11
Hi :)
Things are running a lot better! I haven't had a popup since restart yet. I did however get a DDL error.
Also... some simple stuff seems to be broke, such as my calculator and wordpad (notepad is fine).
Let's try and fix those errors now:
Step 1
Open HijackThis, perform a scan and put a check next to the following items (if present):
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O20 - Winlogon Notify: mljjhij - mljjhij.dll (file missing)
Close all programs except HijackThis and click on Fix checked.
Step 2
Be sure that you are set to see hidden files and folders:
Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labelled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
Remove the checkmark from the checkbox labelled Hide protected operating system files. Answer Yes to the prompt.
Press the Apply button and then the OK button and close My Computer.
Step 3
Navigate to the following files/folders using Windows Explorer and delete them when found:
C:\WINDOWS\system32\dvjwgbyn.ini <-- File
Step 4
Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.
Go to File > Save As:. Save the file as "Fix.reg" (Including the quotes)
Double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.
Step 5
Your Java software is out of date. Follow these instructions to update it:
Go to Start and click on Control Panel, then double-click on Add or Remove Programs.
Search for previously installed versions of Java (J2SE Runtime Environment), and remove it. It should have this icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Then download and install Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp).
Post a new HijackThis log in your next reply, and tell me how everything is working.
ravenglade
2007-11-27, 22:55
OK, I have restarted with no errors, and I just fixed my calculator and word. No problems as far as I can see!
You were so much help!!!! Thank you!!!
Here's my latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 16:51, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Again, thank you for all your time and effort. Is there some where I can give you points or something? I dont know if people rate themselves here or not.
Let me know if this looks clean.
Simon V.
2007-11-27, 23:39
Hi :)
I only notice this now, but you are operating your computer with multiple Anti-Virus programs running in memory at once:
AVG 7.5
Symantec AntiVirus
Trend Micro PC-cillin Internet Security 2007
Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two Anti-Virus programs running at the same time can cause your computer to run very slow, become unstable and even crash.
If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Please disable or uninstall one or the other so they do not conflict.
Again, thank you for all your time and effort. Is there some where I can give you points or something? I dont know if people rate themselves here or not.
You're welcome You can't give me points or rate me, but your kind words are encouraging enough :)
However, if you want to donate to support this forum and Spybot Search and Destroy, you can go here: http://www.spybot.info/en/donate/index.html
Let me know if this looks clean.
Your log looks clean indeed. Here are some tips to keep your computer clean in the future:
Click Start then Run....
Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, select 2.
Rehide your System Files
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Put a check next to Hide file extensions for known file types.
Under the Hidden files folder, select Do not show hidden files and folders.
Check Hide protected operating system files.
Click Apply, and then click OK.
Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
Step 1: Turn off System Restore:
On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Check Turn off System Restore
Click Apply, and then click OK
Step 2: Reboot your computer.
Step 3: Turn on System Restore:
On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Uncheck Turn off System Restore
Click Apply, and then click OK
Note: Only do this once, NOT on a regular basis!
Make your Internet Explorer More Secure
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.
Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.
Here are a few (free) firewalls, please download and install one of them:
ZoneAlarm (http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp?dc=34std&ctry=&lang=en)
Kerio Personall Firewall (http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Comodo Free Firewall (http://www.personalfirewall.comodo.com/)
Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ (http://update.microsoft.com/) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Download and install Ad-Aware. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://forum.malwareremoval.com/viewtopic.php?t=13)
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Stand Up and Be Counted! (http://www.malwarecomplaints.info/index.php) - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).