mljiigd.dll [Generic.Vundo.A] not quarantined! - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Jul 4^th, 2008, 2:41pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   mljiigd.dll [Generic.Vundo.A] not quarantined!

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: mljiigd.dll [Generic.Vundo.A] not quarantined! (Read 1852 times)

AdvancedHominid
Newbie

Posts: 13

mljiigd.dll [Generic.Vundo.A] not quarantined!
« on: Nov 6^th, 2007, 10:00pm »

Quote

Modify

I am thus far very disappointed in the complete inability of Trojanhunter Scanner to quash the Vundo trojan which infected my system a few days ago:

Trojanhunter 5 identifies the malicious objects:

mlgje.dll
mljiigd.dll [Generic.Vundo.A]

but cannot quarantine them. Instead, it messages user "scheduling file to be quarantined when computer is restarted". However, it never accomplishes this. The files remain no matter how many times the system is rebooted.

Moreover, I have tried to delete these files by running WindowsXP in "Safe Mode" and am denied - "file in use by another program or process". However, no unusual processes are running that can be viewed in Task Manager even after I have killed every non-system critical process which Task Manager allows me to.

How can these malicious adware files be removed?

Exactly since the malicious Vundo attack, the user is bothered by endlessly repetitive phony "balloons" and "reminders" that "Windows has detected a spyware infection" and that Windows "has not detected antivirus software".

Will these problems have to be dealt with separately? Or are these just other symptoms of Vundo?

Cumulatively, the above symptoms have seriously damaged my system and rendered it virtually unusable.

Knowledgeable specific recommendations for straightforward fix will be enormously appreciated

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #1 on: Nov 7^th, 2007, 12:30am »

Quote

Modify

Welcome to the forum AdvancedHominid � Wink

Would you please reboot your computer into SAFE MODE and run a Full Scan of your system with TrojanHunter. Let it fix what it finds. Then reboot back into Normal Mode. If that does not clean up your system, then:

Please do this:

A. �Download/install Hijackthis per the link below

http://www.misec.net/forum/board/FAQ/1163329424

B. �Download Vundofix to your desktop.

http://www.atribune.org/content/view/24/2/

C. �Download VirtumundoBegone to your desktop

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

D. �Removal Steps:

- �Please print these instructions as they will be needed later when Internet access is not available.

- �Save these instructions in word or notepad to the desktop where they can be easily found.

- �Double-click VundoFix.exe to run it.

- �Click the Scan for Vundo button.

- �Once it's done scanning, click the Remove Vundo button.

- �You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

- �When completed, it will prompt that it will shutdown your computer, click the OK button.

- �When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.

E. �Removal Steps if the infection is not gone.

This step should only be used if the instructions in the previous steps did not remove the infection:

- �Reboot into Safe Mode.

- �When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

- �Once you are logged into safe mode, double-click VirtumundoBeGone.exe file and follow the instructions.

- �Exit when it has finished, and reboot back to normal mode.

The WinFixer and Vundo infection should now be removed from your computer.

F. �Hijackthis Scan Log

- �Please then run a Hijackthis scan and post the log back here for us to review. �

« Last Edit: Nov 7^th, 2007, 2:39am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #2 on: Nov 7^th, 2007, 12:12pm »

Quote

Modify

Hi Siliconman01,

I would be glad to do these procedures if I could get to the Internet on the below-mentioned computer.

One of the devastating consequences of the Trojan itself or partial "repair" effort including Regedit or Registry"cleaning" done by TH 5 has been the disabling of access to my Local Wireless Network by which this machine connects to the Internet.

Wireless Network shows in range with maximum signal but I cannot connect to it. It appears to be Firewalled for some reason. When attempting to view/change Firewall settings, I am denied with message "Access has been restricted by the Administrator". This applies even when I am running in Safe Mode from the Administrator account on XP!

All users are also locked out of Control Panel and all users except Administrator are locked out of Task Manager in the same fashion.

Please advise on how to correct this. I am eager to download/apply your recommended fixes.

Thanks very much.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #3 on: Nov 7^th, 2007, 12:32pm »

Quote

Modify

Can you download the files to a CD or floppy using another computer? �Then move them over to the desktop on the infected computer and run the cleaning process. �

Also, on the infected computer, did you try to do a System Restore back to a restore point that is earlier than the infection? �Perhaps that will get your connectivity back.

Running System Restore

If you can boot Windows:

Start/Programs/Accessories/System Tools/System Restore. Click the Restore My Computer to an earlier time, next.

If you cannot boot Windows:

Boot into safe mode. Click the System Restore link. Click the Restore My Computer to an earlier time, next.

Note: Current documents, files and e-mail are not affected during a restoration.
�

I really need to see a HiJackthis log from the infected computer so I can see what might be happening. � Sad

« Last Edit: Nov 7^th, 2007, 12:49pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #4 on: Nov 7^th, 2007, 12:51pm »

Quote

Modify

Thanks Siliconman01,

Unfortunately the system does not have a floppy drive although it does have CD/DVD. If it's a simple matter of downloading zip file or executable and running it on any machine, that could work. It looks like HijackThis install works in this fashion.

But if the others are integrated download/install scripts as they appear to be, that is problematic.

BTW, the link you listed for Vundofix download
is not operative. Any ideas?

Thanks again for your help. I will keep you posted.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #5 on: Nov 7^th, 2007, 12:55pm »

Quote

Modify

Use the link below for VundoFix download

http://www.majorgeeks.com/download4954.html

IF you cannot get to System Restore, try this:

Perform a search for rstrui.exe

Once you find rstrui.exe, double click on it to start it.

Your System Restore interface window should open so that you can run a System Restore

« Last Edit: Nov 7^th, 2007, 1:10pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #6 on: Nov 8^th, 2007, 12:15pm »

Quote

Modify

Hi Siliconman01,

I tried every trick you recommended to do a restore but all attempts met with "access denied". I'm not sure at any rate it would have been useful because I doubt the system had been backed up previously to a useful synchpoint.

With all other options denied or not practical, Mischel Tech Support has recommended to manually delete the Trojan files after booting to Recovery Console mode. For this I need the XP System Disk which has not yet arrived.

I will probably attempt this in the near future. It seems worthwhile.

To your knowledge, is there anything that would prevent me from deleting the files when logged on as Adminstrator and running from Recovery Console?

Naturally I will attempt to delete mlgje.dll and
mljiigd.dll. Mischel said also to delete the "main trojan exe" for Vundo. But I'm not sure what that Program is. Doesn't it rename itself constantly?

Please advise.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #7 on: Nov 8^th, 2007, 12:32pm »

Quote

Modify

Hmmm, sorry that you could not get into System Restore to at least try it. � Sad

Did you try running Vundofix.exe?

Quote:

To your knowledge, is there anything that would prevent me from deleting the files when logged on as Adminstrator and running from Recovery Console?

I can think of nothing that would prevent you from being able to delete files while in the Recovery Console.

Quote:

Mischel said also to delete the "main trojan exe" for Vundo. But I'm not sure what that Program is. Doesn't it rename itself constantly?

I think it renames itself for a specific system but then remains constant on that specific system.... I think.

Your situation sounds hauntingly like the problem on the thread below. � Undecided

�It was a tough one, but finally got resolved.

http://www.misec.net/forum/board/Trojans/1194192060

« Last Edit: Nov 8^th, 2007, 12:33pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #8 on: Nov 8^th, 2007, 4:17pm »

Quote

Modify

Thanks for your supportive words. Yes, that thread does look very similar. I've read similar horror stories about Vundo including recent updates on the VundoFix author's home page. There's a version which embeds itself in LSASS process - a process which I suspected could be problematic but is system-critical and cannot be shut down.

FYI within a few days I will have HiJackThis, VundoFix and VirtumundoBegone executables available to run on the infected machine. I will likely have them before I get the XP system disk.

Nevertheless, my plan is to follow the advice of Mischel (came from Magnus at Tech Support) and first attempt to delete the bad DLL's + executable if I can find it from Recovery Console mode. I will then check for symptoms, after which we can apply other remedies including application of any/all the above-mentioned programs as per your instructions.

Do you agree with this approach?

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #9 on: Nov 9^th, 2007, 2:16am »

Quote

Modify

Quote:

Do you agree with this approach?

Definitely sounds like a winner to me. Wink

Looking forward to assisting you further when you are ready.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #10 on: Nov 13^th, 2007, 4:53pm »

Quote

Modify

OK, here's my latest status AFTER deleting some files from Recovery Console AND executing some of the removal programs you listed above:

Summary:

1. Some of the nasty trojans seem to have been neutralized, particularly Vundo and/or Virtumundo.

2. We can get to the Internet although not through our preferred network which remains "firewalled". Nor can we access Control Panel, Task Manager etc.

3. When we go to various Web sites, we are NOT getting pop-ups from other URL's interfering with our session.

4. The only other clearly remaining malware symptom is the bogus message "Windows has detected a spyware infection" which pops up constantly, interfering with productivity by blocking other windows etc.

5. Latest Trojan Hunter Scan Report shows failure to remove a Registry Key which contains winav.exe, which we know to be Malware. No matter how many times we run Trojan Hunter Scanner, this reference cannot be removed.

6. Extra unwanted and probably malicious processes such as spoolsv and spoolv load during start-up no matter how many times we remove them using msconfig utility.

Below are the latest complete HijackThis and TrojanHunter Scan Reports:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:08 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\spoolv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolv.exe
C:\Program Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\fwxkhglp\hgfvlkhx.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7DE7AB1D-AFE9-46D7-845F-909EA229DAE3} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: {ca63c830-618f-fd4b-59e4-c9d61b1d811a} - {a118d1b1-6d9c-4e95-b4df-f816038c36ac} - C:\WINDOWS\system32\qutteavn.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolv.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/muweb_site.cab?1194317645406
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4049 bytes

-----------------------------------------------------------------
TrojanHunter Scan Report - Saved 2007-11-13 15:36

Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Printer (matches IRCBot.100)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Printer (matches IRCBot.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir% \system32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir% \system32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\s ystem32\winav.exe (matches Agent.100)
Registry value exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\s ystem32\winav.exe (matches Agent.100)
Found trojan file: C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\Content.IE5\U1XRJ851\gepj[1] (Vundo.536)
Found trojan file: C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\Content.IE5\WTM785QJ\ptch[1] (Vundo.535)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Enforce.dll (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmlicmgr.dll (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MMCodec.dll (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MP3.cdc (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MP3Pro.cdc (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\wma.inp (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\wma.out (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\Enforce.dll (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MMCodec.dll (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MP3.cdc (Generic.Vundo.B)
Found trojan file: C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MP3Pro.cdc (Generic.Vundo.B)
Found trojan file: C:\WINDOWS\SYSTEM32\lhwejkeg.dll.ren (BHO.219)
Found trojan file: C:\WINDOWS\SYSTEM32\ntio256.sys (Rootkit.Delf.103)
Found trojan file: C:\WINDOWS\SYSTEM32\onjuhjah.dll.ren (BHO.219)
Found trojan file: C:\WINDOWS\SYSTEM32\protector.exe/Upx.qckvrsxp (TrojanProxy.Wopla.114)
Removed registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Printer
Removed registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe
Removed registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir% \system32\winav.exe
Removed registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\syste m32\winav.exe
Removed registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe
Unable to remove registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\sys tem32\winav.exe
Unable to remove registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame ters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Windir%\s ystem32\winav.exe
Quarantined file C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\Content.IE5\U1XRJ851\gepj[1]
Quarantined file C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\Content.IE5\WTM785QJ\ptch[1]
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Enforce.dll
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmlicmgr.dll
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MMCodec.dll
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MP3.cdc
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\MP3Pro.cdc
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\wma.inp
Quarantined file C:\Program Files\MUSICMATCH\Musicmatch Jukebox\Plugins\wma.out
Quarantined file C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\Enforce.dll
Quarantined file C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MMCodec.dll
Quarantined file C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MP3.cdc
Quarantined file C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\MP3Pro.cdc
Quarantined file C:\WINDOWS\SYSTEM32\lhwejkeg.dll.ren
Quarantined file C:\WINDOWS\SYSTEM32\ntio256.sys
Quarantined file C:\WINDOWS\SYSTEM32\onjuhjah.dll.ren
Quarantined file C:\WINDOWS\SYSTEM32\protector.exe

------------------------------------------------------------------
Please give your best, carefully considered advice on what to do now

.

Thanks very much,

AdvancedHominid

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #11 on: Nov 15^th, 2007, 2:44am »

Quote

Modify

Yes, you still have several problems. �

1. �Please go to the link below and download SmitFraudFix to your desktop. �Print out the webpage instructions.

http://siri.geekstogo.com/SmitfraudFix.php

2. �Please go to the link below and download ComboFix to your desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

3. �Then run Smitfraudfix per the instructions that you printed out.

4. �After you reboot from the Smitfraudfix, run ComboFix. �Just double click on it and follow the prompts. �

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. �Please post back here the results log for SmitFraudfix and combofix.

6. �Post a new HJT scan log.

7. �If your control panel, regedit, and task manager are still inactive, run a

SFC /SCANNOW

- �Put your Windows XP disk in your CD drive
- �Go to START>RUN and enter � �SFC /SCANNOW

This will replace corrupted Windows files. �

I responded to your Private Message too. �

Additional Recommendation

I see no evidence of a virus scanner on your system. I urge you to download/install/run the Trial version of KIS 7. It can be obtained via the link below. Some of the malicious items showing up in your HJT log can only be removed via a strong virus scanner.

http://usa.kaspersky.com/trials/home-users/internet-security-7/tp/

« Last Edit: Nov 15^th, 2007, 4:16am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #12 on: Nov 15^th, 2007, 4:24pm »

Quote

Modify

Hi Siliconman01,

Thanks for you follow-up and diligence. After running the SmitFraudFix and ComboFix procedures as you recommended, our situation has improved substantially:

1. Intrusive pop-ups with bogus antivirus or antispyware messages have been eliminated.

2. We can reliably get to the Internet through our Preferred Network.

3. Overall System Performance/speed has been restored to pre-infection level.

4. From Safe Mode as Administrator I can run Regedit, Task Manager, Control Panel.

5. MSCONFIG shows clean boot with only TH 5.0 included at start-up; Malware Processes have been eliminated or disabled.

The remaining problems seem security/permission related:

1. There are 4 "regular" [not the "Administrator" Account] User Accounts which we configured on this system since we bought it. Each is defined as an Administrator and should therefore be able to run every utility. However at this point all 4 User Accounts remain locked out of Control Panel and the Security Center. Only one can run Task Manager and Regedit.

2. Even running as Administrator in Safe Mode, I cannot install Kaspersky Software! Download is OK, but Install script is denied with message like - "System Administrator has not authorized you to run this Program".

3. When running as Administrator in Safe Mode, I am unable to modify the Security Center Alert Mode setting. I can access Security Center, but that option is grayed out. Windows displays a message that I cannot run the utility because Security Center has been turned off. But I don't know how to turn it on while in Safe Mode!

FYI when regular user Accounts are logged onto (not in Safe Mode), each gets the initial warning pop-up message from the Security Center about no Antivirus SW installed. So clearly it's being turned on somewhere. However, any regular user trying to access the Security Center to view or change settings is denied - "System Access has been disabled by the Administrator".

**Do you still recommended running SFC with SCANNOW option to cut through these security difficulties? I do not want to reinitialize the 4 individual user desktop configurations [application presentation, icons etc.] which can take considerable time to rebuild.** Please clarify the risk level associated with SFC /SCANNOW.

Again, many thanks for your help thus far. Looking forward to hearing from you to manage final clean-up.

I have included under separate cover the logs you requested (they were too big to fit into one message).

Kind Regards,

A.H.

IP Logged

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #13 on: Nov 15^th, 2007, 4:29pm »

Quote

Modify

SmitFraudFix Log - the latest

SmitFraudFix v2.253

Scan done at 14:44:52.70, Thu 11/15/2007
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

�� SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

�� Killing process

�� hosts

10.18.250.4ad.doubleclick.net
10.18.250.4ad.fastclick.net
10.18.250.4ads.fastclick.net
10.18.250.4ar.atwola.com
10.18.250.4atdmt.com
10.18.250.4avp.ch
10.18.250.4avp.com
10.18.250.4avp.ru
10.18.250.4awaps.net
10.18.250.4banner.fastclick.net
10.18.250.4banners.fastclick.net
10.18.250.4ca.com
10.18.250.4click.atdmt.com
10.18.250.4clicks.atdmt.com
10.18.250.4customer.symantec.com
10.18.250.4dispatch.mcafee.com
10.18.250.4download.mcafee.com
10.18.250.4downloads-us1.kaspersky-labs.com
10.18.250.4downloads-us2.kaspersky-labs.com
10.18.250.4downloads-us3.kaspersky-labs.com
10.18.250.4downloads1.kaspersky-labs.com
10.18.250.4downloads2.kaspersky-labs.com
10.18.250.4downloads3.kaspersky-labs.com
10.18.250.4downloads4.kaspersky-labs.com
10.18.250.4engine.awaps.net
10.18.250.4f-secure.com
10.18.250.4fastclick.net
10.18.250.4ftp.avp.ch
10.18.250.4ftp.downloads1.kaspersky-labs.com
10.18.250.4ftp.downloads2.kaspersky-labs.com
10.18.250.4ftp.downloads3.kaspersky-labs.com
10.18.250.4ftp.f-secure.com
10.18.250.4ftp.kasperskylab.ru
10.18.250.4ftp.sophos.com
10.18.250.4ids.kaspersky-labs.com
10.18.250.4kaspersky-labs.com
10.18.250.4kaspersky.com
10.18.250.4liveupdate.symantec.com
10.18.250.4liveupdate.symantecliveupdate.com
10.18.250.4mast.mcafee.com
10.18.250.4mcafee.com
10.18.250.4media.fastclick.net
10.18.250.4my-etrust.com
10.18.250.4nai.com
10.18.250.4networkassociates.com
10.18.250.4norton.com
10.18.250.4phx.corporate-ir.net
10.18.250.4rads.mcafee.com
10.18.250.4secure.nai.com
10.18.250.4securityresponse.symantec.com
10.18.250.4service1.symantec.com
10.18.250.4sophos.com
10.18.250.4spd.atdmt.com
10.18.250.4symantec.com
10.18.250.4trendmicro.com
10.18.250.4update.symantec.com
10.18.250.4updates.symantec.com
10.18.250.4updates1.kaspersky-labs.com
10.18.250.4updates2.kaspersky-labs.com
10.18.250.4updates3.kaspersky-labs.com
10.18.250.4updates4.kaspersky-labs.com
10.18.250.4updates5.kaspersky-labs.com
10.18.250.4us.mcafee.com
10.18.250.4vil.nai.com
10.18.250.4viruslist.com
10.18.250.4viruslist.ru
10.18.250.4virusscan.jotti.org
10.18.250.4virustotal.com
10.18.2504www.avp.ch
10.18.2504www.avp.com
10.18.2504www.avp.ru
10.18.2504www.awaps.net
10.18.2504www.ca.com
10.18.2504www.f-secure.com
10.18.2504www.fastclick.net
10.18.2504www.grisoft.com
10.18.2504www.kaspersky-labs.com
10.18.2504www.kaspersky.com
10.18.2504www.kaspersky.ru
10.18.2504www.mcafee.com
10.18.2504www.my-etrust.com
10.18.2504www.nai.com
10.18.2504www.networkassociates.com
10.18.2504www.sophos.com
10.18.2504www.symantec.com
10.18.2504www.trendmicro.com
10.18.2504www.viruslist.com
10.18.2504www.viruslist.ru
10.18.2504www.virustotal.com

�� Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

�� Generic Renos Fix

GenericRenosFix by S!Ri

�� Deleting infected files

C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted
C:\DOCUME~1\ADMINI~1.GAM\STARTM~1\Programs\Startup\findfast.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

�� DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3B7BC82-4B63-4225-896D-4C7E785E5326} : DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F3B7BC82-4B63-4225-896D-4C7E785E5326} : DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4562FED8-77EF-4F04-89F1-266963357739} : DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F3B7BC82-4B63-4225-896D-4C7E785E5326} : DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

�� Deleting Temp Files

�� Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

�� Registry Cleaning

Registry Cleaning done.

�� SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

�� End

IP Logged

AdvancedHominid
Newbie

Posts: 13

Re: mljiigd.dll [Generic.Vundo.A] not quarantined!
« Reply #14 on: Nov 15^th, 2007, 4:32pm »

Quote

Modify

ComboFix Log:

ComboFix 07-11-08.1 - Administrator 2007-11-15 14:50:01.1 - NTFSx86 MINIMAL
Running from: C:\Program Files\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\pgdkdgrg.dll
C:\Documents and Settings\Benjamin\Application Data\Install.dat
C:\Documents and Settings\Benjamin\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Scott\Application Data\install.dat
C:\Documents and Settings\Scott\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Yvette\Application Data\install.dat
C:\Documents and Settings\Yvette\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Yvette\Start Menu\Programs\Startup\infos.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\away.exe.exe
C:\WINDOWS\system32\m2
C:\WINDOWS\system32\ntio256.sys
C:\WINDOWS\system32\ntsystem.exe
C:\WINDOWS\system32\o1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\v4
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\xlavba8.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTIO256
-------\LEGACY_XLAVBA8
-------\ntio256
-------\xlavba8

((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 14:4851,200--a------C:\WINDOWS\NirCmd.exe
2007-11-15 14:20592--a------C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-15 14:1626,815,520--a------C:\Program Files\kis7.0.0.125en.exe
2007-11-15 14:121,539,258--a------C:\Program Files\ComboFix.exe
2007-11-15 14:121,043,644--a------C:\Program Files\SmitfraudFix.exe
2007-11-13 12:01289,280--a------C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-13 12:0155,808--a------C:\WINDOWS\SYSTEM32\spoolv.exe
2007-11-13 12:017,863--a------C:\WINDOWS\drabste.exe
2007-11-13 12:0016,384--a------C:\WINDOWS\xlaherx.exe
2007-11-13 11:46<DIR>d--------C:\VundoFix Backups
2007-11-13 11:40812,344--a------C:\Program Files\HJTInstall.exe
2007-11-13 11:40401,720--a------C:\Program Files\HiJackThis.exe
2007-11-13 11:40318,369--a------C:\Program Files\HiJackThis.zip
2007-11-13 11:40115,712--a------C:\Program Files\VundoFix.exe
2007-11-13 11:4096,978--a------C:\Program Files\VirtumundoBeGone.exe
2007-11-07 14:13<DIR>d--------C:\Documents and Settings\Administrator.GAMEROOM\Application Data\TrojanHunter
2007-11-06 18:25<DIR>d--------C:\Documents and Settings\Yvette\Application Data\ultra
2007-11-06 15:09130,743--a------C:\WINDOWS\noskrnl.exe
2007-11-06 15:097,530--a------C:\WINDOWS\porkaa.exe
2007-11-05 22:03<DIR>d--------C:\Program Files\MSXML 4.0
2007-11-05 21:47584,192---------C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-05 21:46683,520---------C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-11-05 21:28297,984---------C:\WINDOWS\SYSTEM32\DLLCACHE\msctf.dll
2007-11-05 19:55296,813---hs----C:\WINDOWS\SYSTEM32\egjlm.bak2
2007-11-05 16:56<DIR>d--------C:\Documents and Settings\Scott\Application Data\ultra
2007-11-05 16:5669--a------C:\Documents and Settings\Scott\Application Data\trant.exe
2007-11-05 14:53<DIR>d--------C:\Documents and Settings\Benjamin\Application Data\TrojanHunter
2007-11-05 13:33<DIR>d--------C:\Program Files\TrojanHunter 5.0
2007-11-05 12:03<DIR>d--------C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 21:51<DIR>d--------C:\Documents and Settings\Benjamin\Application Data\SpywareBot
2007-11-04 19:55281,941---hs----C:\WINDOWS\SYSTEM32\egjlm.bak1
2007-11-04 18:51<DIR>d--------C:\Program Files\a-squared Anti-Malware
2007-11-04 17:06577,025--a------C:\WINDOWS\SYSTEM32\hajhujno.ini.ren
2007-11-04 16:07<DIR>d--------C:\Documents and Settings\Scott\Application Data\Simply Super Software
2007-11-04 15:39<DIR>d--------C:\Documents and Settings\Benjamin\Application Data\Simply Super Software
2007-11-04 15:39<DIR>d-a------C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 15:01576,941--a------C:\WINDOWS\SYSTEM32\gekjewhl.ini.ren
2007-11-04 14:55282,046--a------C:\WINDOWS\SYSTEM32\egjlm.bak2.ren
2007-11-04 14:29282,799--a------C:\WINDOWS\SYSTEM32\egjlm.bak1.ren
2007-11-04 14:28288,308--ahs----C:\WINDOWS\SYSTEM32\egjlm.ini.ren
2007-11-03 21:36<DIR>d--hs----C:\WINDOWS\U2NvdHQ
2007-11-03 21:36<DIR>d--------C:\WINDOWS\SYSTEM32\Mz02r
2007-11-03 21:36<DIR>d--------C:\Temp\mZOr
2007-11-03 21:36<DIR>d--------C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 19:45---------d-----wC:\Program Files\SmitfraudFix
2007-11-13 20:444,050----a-wC:\Program Files\hijackthis_11_13_07_PostCleaning Snapshot.txt
2007-11-13 20:434,050----a-wC:\Program Files\hijackthis.log
2007-11-06 20:18---------d-----wC:\Documents and Settings\Benjamin\Application Data\MSNInstaller
2007-11-05 17:36---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 23:30---------d-----wC:\Documents and Settings\Scott\Application Data\ChessBase
2007-10-05 00:16---------d-----wC:\Program Files\BabasChess
2006-05-13 15:1912,345,008-c--a-wC:\Program Files\PlayChessSetup.exe
2005-05-01 01:092,758,380----a-wC:\Program Files\light.zip
2005-04-24 18:226,224,944-c--a-wC:\Program Files\pkr80018en.EXE
2005-04-17 15:455,629,711-c--a-wC:\Program Files\winboard-4_2_7a.exe
2005-07-29 21:24:26472--sha-rC:\WINDOWS\U2NvdHQ\oZhSxJk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F02D978-0FF6-80F7-60BB-0426224AB7B3}]
C:\Program Files\fwxkhglp\hgfvlkhx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DE7AB1D-AFE9-46D7-845F-909EA229DAE3}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a118d1b1-6d9c-4e95-b4df-f816038c36ac}]
C:\WINDOWS\system32\qutteavn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProvidersmsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator.GAMEROOM^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator.GAMEROOM\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator.GAMEROOM^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Administrator.GAMEROOM\Start Menu\Programs\Startup\infos.exe
backup=C:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=C:\WINDOWS\pss\autos.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk
backup=C:\WINDOWS\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Benjamin^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Benjamin\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Benjamin^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Benjamin\Start Menu\Programs\Startup\infos.exe
backup=C:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Benjamin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Benjamin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Scott\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Scott\Start Menu\Programs\Startup\infos.exe
backup=C:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Yvette^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Yvette\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Yvette^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Yvette\Start Menu\Programs\Startup\infos.exe
backup=C:\WINDOWS\pss\infos.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
"C:\Program Files\a-squared Anti-Malware\a2guard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
C:\WINDOWS\xlaherx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep]
C:\WINDOWS\system32\spoolv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e0406f04]
rundll32.exe "C:\WINDOWS\system32\unxvijbf.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gwiz]
C:\WINDOWS\system32\ntsystem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KGTunes]
C:\Program Files\KG Tunes\KG Tunes\KG Tunes 5.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
C:\WINDOWS\noskrnl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestTrap]
C:\Program Files\PestTrap\PestTrap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pgdkdgrg]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pgdkdgrg.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
C:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

S2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable;C:\WINDOWS\system32\Drivers\SilvrLnk.sys
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE

.
************************************************************************ **

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 15:08:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
Completion time: 2007-11-15 15:09:41 - machine was rebooted
.
--- E O F ---

IP Logged

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register