Please help - Trojans "downloader"

**ravenglade** · 2007-11-27, 14:45

Ok, so I see trojans on my box, scanning and quarantined with antivirus (AVG and Spyware Doctor), but they keep comming back every time. Here is my Kaspersky Scan:

I really need some advice.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 8:33:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 466122
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
V:\
W:\
X:\
Y:\

Scan Statistics:
Total number of scanned objects: 266077
Number of viruses found: 11
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 06:11:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\cert8.db Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\history.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\key3.db Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\parent.lock Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\search.sqlite Object is locked skipped
C:\Documents and Settings\mmussleman\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\mmussleman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Application Data\Mozilla\Firefox\Profiles\05zz5dla.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mmussleman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mmussleman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0283NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0919NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP424\A0119487.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121697.exe Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121698.exe Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121700.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121717.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121718.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121719.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121720.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121721.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP426\A0121722.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP427\change.log Object is locked skipped
C:\WINDOWS\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{12CDFC64-A71C-458C-88A8-D3214C1F5647}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\atwnyndi.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\byxvwtt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\byxwxww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\ccbdewop.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\i2\mper83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\i2\mper83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\mljjhij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
C:\WINDOWS\system32\mljjkij.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\nybgwjvd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\qomjkjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\rMa06yy\rMa06yy1083.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\tuvvstu.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wvuvwwx.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\Temp\hlktmp Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
V:\Archive\Marketing\other\Marketing Dept\Presentation\Webster Presentation .ppt Object is locked skipped
W:\MFG DWG\- CANOPY\52 x 108 arched canopy\layout.dwg Object is locked skipped
W:\MFG DWG\- CANOPY\52 x 108 arched canopy\layout.dwl Object is locked skipped
W:\MFG DWG\- CANOPY\Gabled Roof\20668.dwl Object is locked skipped
X:\Pi3502\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped

Scan process completed.

**Simon V.** · 2007-11-27, 17:00

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Looks like you have a Vundo infection. The first step in the cleaning process is to make a HijackThis log:

Download HJTInstall.exe to your desktop.

Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Post the contents of the file back here.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

**ravenglade** · 2007-11-27, 17:25

Simon, you have my gratitude. Here is my Hijack scan

Logfile of HijackThis v1.99.1
Scan saved at 11:23:57 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\tyvbvbjp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Corel\Corel Graphics 12\PROGRAMS\CORELDRW.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atwnyndi.dll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\MMUSSL~1\LOCALS~1\Temp\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{BF-F5-59-99-ZN}] C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tyvbvbjp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Simon V.** · 2007-11-27, 17:37

Hi

Can you tell me whether this is a home computer, or a work/school computer?

**ravenglade** · 2007-11-27, 17:37

I'm at work

**Simon V.** · 2007-11-27, 17:51

Hi

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

Under the Main tab, put a check next to Select All.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Firefox browser:
Click on Firefox at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
If you use the Opera browser:
Click on Opera at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 2

Please download Combofix:

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Note: Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, press Ctrl, Alt and Del at the same time and, under the Processes tab, end any processes of findstr, find, sed or swreg, then Combofix should continue. If that happened I'd like to know and what process you had to end.

Step 3

Please download and install CCleaner.

Open CCleaner. In the Left Pane, click Tools.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save.
Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 4

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
the CCleaner Uninstall List (install.txt)
a new HijackThis log

**Simon V.** · 2007-11-27, 18:00

I'm sorry, I forgot a step. Before running Combofix, do the following:

Please disable TeaTimer, as it may interfere with the fix. This is done in two steps:

First step: Right-click the Spybot icon in your system tray (looks like a blue and white calendar with a padlock symbol).

For version 1.5: Click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the system tray should now be colorless.
For version 1.4: Click on Exit Spybot S&D Resident.

Second step: Open Spybot Search & Destroy.

Click Mode, choose Advanced Mode. When prompted, answer Yes.
Go to the bottom of the vertical panel to the left, click Tools.
Click Resident (a white and red shield, located in the panel to the left).
If your firewall gives you a warning, allow it.
Uncheck the box labeled Resident "Tea-Timer" (Protection of over-all system settings) active.
OK any prompts.
Go to File > Exit to close Spybot Search & Destroy.
Reboot your computer for the changes to take effect.

Note: Be sure to enable TeaTimer when you are clean!

Please disable Spyware Doctor OnGuard, as it may interfere with the fix.

From within Spyware Doctor, click the OnGuard button on the left side.
Uncheck Activate OnGuard.
Reboot your computer to complete the process.

Note: Be sure to enable Spyware Doctor OnGuard when you are clean!

**ravenglade** · 2007-11-27, 19:50

here we go:

ComboFix log:

ComboFix 07-11-19.4 - mmussleman 2007-11-27 13:23:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.458 [GMT -5:00]
Running from: C:\Documents and Settings\mmussleman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mmussleman\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mmussleman\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\atwnyndi.dllbox
C:\WINDOWS\system32\jkhfd.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 08:49 85,056 --a------ C:\WINDOWS\system32\ptegdfcc.dll
2007-11-27 08:45 78,912 --a------ C:\WINDOWS\system32\xcpqljxa.dll
2007-11-27 08:45 71,232 --a------ C:\WINDOWS\system32\tyvbvbjp.exe
2007-11-26 16:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-11-26 16:09 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\Apple Computer
2007-11-26 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 14:02 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-26 14:02 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\PC Tools
2007-11-26 14:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-26 14:02 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-26 14:02 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-26 14:02 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-26 14:02 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-26 08:54 80,960 --a------ C:\WINDOWS\system32\jhvdaers.dll
2007-11-26 08:52 <DIR> d-------- C:\Temp\abW9
2007-11-26 08:52 38,912 --a------ C:\WINDOWS\system32\tuvvstu.dll
2007-11-26 08:52 35,840 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-26 08:51 85,056 --a------ C:\WINDOWS\system32\nybgwjvd.dll
2007-11-26 08:48 38,912 --a------ C:\WINDOWS\system32\mljjkij.dll
2007-11-26 08:47 38,912 --a------ C:\WINDOWS\system32\wvuvwwx.dll
2007-11-26 08:44 <DIR> d-------- C:\WINDOWS\system32\rMa06yy
2007-11-21 16:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-21 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-21 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 15:04 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-21 14:35 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-21 14:35 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-21 14:35 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-21 14:35 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-21 11:21 36,864 --a------ C:\WINDOWS\system32\qomjkjj.dll
2007-11-21 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-21 11:08 36,352 --a------ C:\WINDOWS\system32\mljjhij.dll
2007-11-21 11:07 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-21 11:07 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-16 12:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-09 16:31 <DIR> d-------- C:\Program Files\Dassault Systemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\mmussleman\Application Data\DassaultSystemes
2007-11-09 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2007-11-09 16:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-09 16:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-11-07 08:55 <DIR> d-------- C:\FlexLM
2007-11-07 08:47 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-11-07 08:47 <DIR> d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-11-07 08:47 693,760 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-11-07 08:47 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2007-11-07 08:47 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2007-11-07 08:47 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-11-07 08:47 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2007-11-07 08:47 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP
2007-11-07 08:47 7,328 --a------ C:\WINDOWS\system32\drivers\ds1410d.sys
2007-11-07 08:44 <DIR> d-------- C:\Program Files\Autodesk
2007-11-07 08:35 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Common Files\Avery
2007-10-31 15:35 <DIR> d-------- C:\Program Files\Avery Wizard 3.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 18:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-27 15:04 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\AVG7
2007-11-26 20:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-26 13:43 145,984 ----a-w C:\WINDOWS\system32\atwnyndi.dll
2007-11-26 13:42 145,984 ----a-w C:\WINDOWS\system32\ccbdewop.dll
2007-11-21 16:25 36,864 ----a-w C:\WINDOWS\system32\byxwxww.dll
2007-11-21 16:22 36,864 ----a-w C:\WINDOWS\system32\byxvwtt.dll
2007-11-21 16:10 --------- d-----w C:\Documents and Settings\mmussleman\Application Data\uTorrent
2007-11-07 13:47 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2007-11-07 13:35 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-12 20:46 --------- d-----w C:\Program Files\FileZilla Client
2007-10-10 14:13 --------- d-----w C:\Program Files\ZC2.10
2005-09-06 19:50 56 --sh--r C:\WINDOWS\system32\2D078FCBD5.sys
2007-04-10 20:44 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-21 11:08 36352 --a------ C:\WINDOWS\system32\mljjhij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-26 08:43 145984 --a------ C:\WINDOWS\system32\atwnyndi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be1d0f20-1e5a-4a0e-bcc7-948b384b63bc}]
2007-11-27 08:45 78912 --a------ C:\WINDOWS\system32\xcpqljxa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\atwnyndi.dll [2007-11-26 08:43 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 12:20]
"{BF-F5-59-99-ZN}"="C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe" []
"4c1bf536"="C:\WINDOWS\system32\ptegdfcc.dll" [2007-11-27 08:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-06 09:19]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-04-30 12:48]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\mljjhij.dll [2007-11-21 11:08 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atwnyndi]
atwnyndi.dll 2007-11-26 08:43 145984 C:\WINDOWS\system32\atwnyndi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhij]
mljjhij.dll 2007-11-21 11:08 36352 C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\system32\NavLogon.dll 2006-05-26 20:02 43760 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2006-01-12 20:52 483328 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-29 21:05 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 12:02 53408 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-09-16 07:43 274432 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
2001-11-16 20:23 135168 --a------ C:\Program Files\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2000-11-04 20:09 40960 --a------ C:\Program Files\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2006-08-18 13:06 315392 --a------ C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2006-08-25 11:25 3112960 --a------ C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 17:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-05-26 20:01 124656 --a------ C:\PROGRA~1\SYMANT~1\VPTray.exe

R2 NLCSAgent;NLCS Agent;C:\WINDOWS\system32\nlcspro\csagtprosvc.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 13:37:00
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 13:39:55 - machine was rebooted
.
--- E O F ---

CCleaner Install Log

3ds max 7
3ds max 7 Additional Maps and Materials
3ds max 7 Architectural Materials
3ds max 7 Reference Files
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.9 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AiO_Scan
ATI Control Panel
ATI Display Driver
Autodesk DirectConnect 2.0
Avery Wizard 3.1
AVG 7.5
AVG Anti-Spyware 7.5
Broadcom Advanced Control Suite
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
CCleaner (remove only)
CorelDRAW Graphics Suite 12
Dassault Systemes Software Prerequisites x86
FileZilla Client 3.0.1
Free DWG Viewer 5.4
Google Earth
HijackThis 1.99.1
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
LiveUpdate 3.0 (Symantec Corporation)
MAS 200 Workstation
Maya 2008
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
NVIDIA Photoshop Plug-ins
OMCI
PDF Settings
PowerISO
QFolder
QuickTime
RealPlayer
Scan
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SmartFTP Client
SmartNetMonitor for Client
Spybot - Search & Destroy
Spyware Doctor 5.1
Symantec AntiVirus
TMASOEDL
TMASOLDL
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Virtual Earth - 3DVIA (Technology Preview)
Virtual Earth 3D (Beta)
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Xerox Support Centre
Yahoo! Messenger
Zelda Classic 2.10w

**ravenglade** · 2007-11-27, 19:51

New HijackThis Scan:

Logfile of HijackThis v1.99.1
Scan saved at 13:45, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mmussleman\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\mljjhij.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atwnyndi.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {cb36b483-b849-7ccb-e0a4-a5e102f0d1eb} - {be1d0f20-1e5a-4a0e-bcc7-948b384b63bc} - C:\WINDOWS\system32\xcpqljxa.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atwnyndi.dll
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O4 - HKLM\..\Run: [{BF-F5-59-99-ZN}] C:\Documents and Settings\mmussleman\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [4c1bf536] rundll32.exe "C:\WINDOWS\system32\ptegdfcc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.couvrette.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O17 - HKLM\Software\..\Telephony: DomainName = cbs-virginia.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbs-virginia.int
O20 - Winlogon Notify: atwnyndi - C:\WINDOWS\SYSTEM32\atwnyndi.dll
O20 - Winlogon Notify: mljjhij - C:\WINDOWS\SYSTEM32\mljjhij.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NLCS Agent (NLCSAgent) - Unknown owner - C:\WINDOWS\system32\nlcspro\csagtprosvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Simon V.** · 2007-11-27, 20:33

Hi

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code:

File::

C:\WINDOWS\system32\ptegdfcc.dll
C:\WINDOWS\system32\xcpqljxa.dll
C:\WINDOWS\system32\tyvbvbjp.exe
C:\WINDOWS\system32\jhvdaers.dll
C:\WINDOWS\system32\tuvvstu.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\nybgwjvd.dll
C:\WINDOWS\system32\mljjkij.dll
C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\mljjhij.dll
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\atwnyndi.dll
C:\WINDOWS\system32\ccbdewop.dll
C:\WINDOWS\system32\byxwxww.dll
C:\WINDOWS\system32\byxvwtt.dll
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\mrofinu572.exe.tmp

Folder::

C:\Temp\abW9
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\i2

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be1d0f20-1e5a-4a0e-bcc7-948b384b63bc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"io43mvuiw4kj"=-
"{BF-F5-59-99-ZN}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atwnyndi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhij]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save.

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Your Java software is out of date. Follow these instructions to update it:

Go to Start and click on Control Panel, then double-click on Add or Remove Programs.
Search for previously installed versions of Java (J2SE Runtime Environment), and remove it. It should have this icon next to it:
Then download and install Java Runtime Environment (JRE) 6 Update 3.

Step 3

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
a new HijackThis log
How is everything running now?

Thread: Please help - Trojans "downloader"

Thread Tools

Display

Please help - Trojans "downloader"

Posting Permissions