Options

virtumonde virus

Unknown
edited August 2007 in Spyware & Virus Removal
I recently discovered this on my computer and have tried to remove it using the VundoFix. However, it is unable to remove it. My antivirus program is showing that my computer is infected with Adware.Virtumonde.GFT, Adware.Virtumonde.SY, and Adware.Virtumonde.GFQ. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:24:14 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {076C3C16-86CD-4009-9454-B9824E47120C} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\ddcaaxv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [FireMole Client]
O4 - HKLM\..\RunServices: [FMC]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c0d0c52745fb473aabd2b493e4700862
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c0d0c52745fb473aabd2b493e4700862
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158003890437
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramunrising/sis/mjolauncher.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcaaxv - C:\WINDOWS\SYSTEM32\ddcaaxv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Comments

  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Lets run VundoFix again, but slightly different than before.
    • Double-click VundoFix.exe to run it.
    • Right Click inside the listbox (white box) and click Add more file?
    • Copy & Paste the 4 entries below into the top 2 boxes

      • C:\WINDOWS\system32\mljjk.dll
      • C:\WINDOWS\system32\kjjlm.*
      • C:\WINDOWS\system32\ddcaaxv.dll
      • C:\WINDOWS\system32\vxaacdd.*

    • Click Add Files and click Close Window
    • Click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  • impala_400
    edited July 2007
    Still didn't work but here's the updated logs.


    Logfile of HijackThis v1.99.1
    Scan saved at 8:32:00 PM, on 7/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\Documents and Settings\yvonneadmin\Desktop\VundoFix.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {D9515A85-E075-41D2-8D3C-C8CAFE188C83} - C:\WINDOWS\system32\mljjk.dll
    O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\ddcaaxv.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKLM\..\RunServices: [FireMole Client]
    O4 - HKLM\..\RunServices: [FMC]
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c0d0c52745fb473aabd2b493e4700862
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c0d0c52745fb473aabd2b493e4700862
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158003890437
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramunrising/sis/mjolauncher.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
    O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: ddcaaxv - C:\WINDOWS\SYSTEM32\ddcaaxv.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



    VundoFix V6.5.6
    Checking Java version...
    Java version is 1.5.0.11
    Scan started at 4:57:36 PM 7/20/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\kjjlm.bak1
    C:\WINDOWS\system32\kjjlm.bak2
    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini2
    C:\WINDOWS\system32\kjjlm.tmp
    C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\pkilkglc.dll
    C:\WINDOWS\system32\qdbmbygn.dll
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.bak1
    C:\WINDOWS\system32\kjjlm.bak1 Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.bak2
    C:\WINDOWS\system32\kjjlm.bak2 Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini2
    C:\WINDOWS\system32\kjjlm.ini2 Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.tmp
    C:\WINDOWS\system32\kjjlm.tmp Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini2
    C:\WINDOWS\system32\kjjlm.ini2 Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    VundoFix V6.5.6
    Checking Java version...
    Java version is 1.5.0.11
    Scan started at 5:06:16 PM 7/20/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.tmp
    C:\WINDOWS\system32\mljjk.dll
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\kjjlm.tmp
    C:\WINDOWS\system32\kjjlm.tmp Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    VundoFix V6.5.6
    Checking Java version...
    Java version is 1.5.0.11
    Scan started at 5:25:20 PM 7/20/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\mljjk.dll
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\ddcaaxv.dll
    C:\WINDOWS\system32\ddcaaxv.dll Could not be deleted.
    Attempting to delete C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\kjjlm.ini Has been deleted!
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\ddcaaxv.dll
    C:\WINDOWS\system32\ddcaaxv.dll Could not be deleted.
    Attempting to delete C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll Could not be deleted.
    Performing Repairs to the registry.
    Done!
    VundoFix V6.5.6
    Checking Java version...
    Java version is 1.5.0.11
    Scan started at 8:32:52 PM 7/23/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\kjjlm.bak1
    C:\WINDOWS\system32\kjjlm.bak2
    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\mljjk.dll
    Beginning removal...
    Attempting to delete C:\WINDOWS\system32\kjjlm.bak1
    C:\WINDOWS\system32\kjjlm.bak1 Has been deleted!
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Hi,

    I ask a favor,

    Please, submit those files to Atri, developer of vundofix. He will update vundofix :D

    # C:\WINDOWS\system32\mljjk.dll
    # C:\WINDOWS\system32\ddcaaxv.dll

    HERE

    Fill required

    After that we remove it in different way :D


    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • impala_400
    edited July 2007
    "yvonneadmin" - 2007-07-24 10:59:16 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

    Unable to gain System Privileges
    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\mljjk.dll

    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

    C:\WINDOWS\system32\mljjk.dll
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\Program Files\screensavers.com
    C:\Program Files\screensavers.com\SSSInst\bin\SSSUninst.exe
    C:\WINDOWS\system32\b02FdUe

    ((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))

    2007-07-24 10:58 51,200 --a
    C:\WINDOWS\nircmd.exe
    2007-07-23 10:00 <DIR> d
    C:\Program Files\iTunes
    2007-07-23 09:34 <DIR> d
    C:\Program Files\QuickTime
    2007-07-23 09:20 <DIR> d
    C:\Program Files\Common Files\Apple
    2007-07-23 09:20 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
    2007-07-22 20:28 <DIR> d
    C:\DOCUME~1\YVONNE~1\.housecall6.6
    2007-07-20 16:57 <DIR> d
    C:\VundoFix Backups
    2007-07-20 13:58 <DIR> d
    C:\DOCUME~1\YVONNE~1\DoctorWeb
    2007-07-19 22:47 <DIR> d
    C:\Program Files\Enigma Software Group
    2007-07-19 22:35 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
    2007-07-19 17:30 4,980,736 --a
    C:\DOCUME~1\GARYUS~1\ntuser.dat
    2007-07-19 17:30 1,118,208 --a
    C:\DOCUME~1\LOCALS~1\ntuser.dat
    2007-07-18 22:53 <DIR> d
    C:\WINDOWS\BDOSCAN8
    2007-07-18 17:14 <DIR> d
    C:\DOCUME~1\GARYUS~1\APPLIC~1\Bitdefender
    2007-07-18 16:07 <DIR> d
    C:\DOCUME~1\YVONNE~1\APPLIC~1\Bitdefender
    2007-07-18 15:42 81,984 --a
    C:\WINDOWS\system32\bdod.bin
    2007-07-18 15:34 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
    2007-07-18 15:27 23,453,792 --a
    C:\bitdefender_av_v10.exe
    2007-07-16 22:38 266,336
    C:\WINDOWS\system32\mljjk.dll
    2007-07-16 22:32 31,254
    C:\WINDOWS\system32\ddcaaxv.dll
    2007-07-16 22:32 <DIR> d
    C:\Temp\brr
    2007-07-07 21:12 40,960 --a
    C:\WINDOWS\system32\SSubTmr6.dll
    2007-07-07 21:12 118,784 --a
    C:\WINDOWS\system32\vbalNCSM6.dll
    2007-07-07 21:02 286,720 --a
    C:\WINDOWS\iun506.exe
    2007-07-07 21:01 <DIR> d
    C:\Program Files\Ultimate Pinball

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2007-07-23 15:01:17
    d
    w C:\Program Files\iPod
    2007-07-20 20:21:47
    d
    w C:\Program Files\RAdmin
    2007-07-08 02:11:30
    d
    w C:\Program Files\eGames
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-04 23:14:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2001-08-23 15:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
    2004-08-04 05:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
    2004-08-04 05:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
    2004-08-04 05:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
    2004-08-04 05:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
    2004-08-04 05:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
    2004-08-04 05:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FADE832-4658-4560-B89D-EB7312511FB6}]
    2007-07-16 22:38 266336
    C:\WINDOWS\system32\mljjk.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCD53738-C4F9-414A-A03C-C7405A4AC844}]
    2007-07-16 22:32 31254
    C:\WINDOWS\system32\ddcaaxv.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9E224F8-1AC4-4D0D-93E6-BF86B7167F96}]
    2007-07-16 22:38 266336
    C:\WINDOWS\system32\mljjk.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-07-19 10:02]
    "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "FireMole Client"=
    "FMC"=
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-02-16 20:26:32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{DCD53738-C4F9-414A-A03C-C7405A4AC844}"= C:\WINDOWS\system32\ddcaaxv.dll [2007-07-16 22:32 31254]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaaxv]
    ddcaaxv.dll 2007-07-16 22:32 31254 C:\WINDOWS\system32\ddcaaxv.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk]
    C:\WINDOWS\system32\mljjk.dll 2007-07-16 22:38 266336 C:\WINDOWS\system32\mljjk.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=sockspy.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 700 series) - 1.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 700 series) - 1.lnk
    backup=C:\WINDOWS\pss\HPAiODevice(hp psc 700 series) - 1.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
    C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]
    C:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireMole-client]
    C:\WINDOWS\FMC.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\System32\hkcmd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\System32\igfxtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
    LTMSG.exe 7
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    C:\Program Files\Microsoft Works\wkfud.exe
    R1 bdpredir;bdpredir;\??\C:\Program Files\Softwin\BitDefender10\bdpredir.sys
    R3 dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
    R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    R3 Dot4Scan;Scan Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
    R3 dot4usb;Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    R3 ltmodem5;Agere Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
    S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
    S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
    S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
    S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
    S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

    Contents of the 'Scheduled Tasks' folder
    2007-07-23 14:02:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-07-24 17:06:19 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
    2007-07-20 03:35:25 C:\WINDOWS\tasks\Pareto UNS.job
    **************************************************************************
    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-24 12:07:03
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden registry entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Completion time: 2007-07-24 12:09:17 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-24 12:08
    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 12:11:30 PM, on 7/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    First :
    Please download NTrights.zip by freeatlast.
    If you can't access it, download NTrights.zip via here: http://www10.brinkster.com/expl0iter/freeatlast/dumprights.htm
    Save it on your desktop.
    Unzip/extract it.
    Read here how to unzip/extract properly:
    http://metallica.geekstogo.com/xpcompressedexplanation.html
    Open the NTrights-folder
    Double click on the Debug.bat file to run it, follow any prompts it asks.

    REBOOT

    Doubleclick the Debug.bat again after reboot.

    It will create a log.
    If the log says:
    "Granting SeDebugPrivilege to Administrators ... successful", you must be ok and things restored well

    Then do next:

    Please, download Process Explorer http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

    Unzip Process Explorer and double click on procexp.exe

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of mljjk.dll once and then click the kill button. Do that same to ddcaaxv.dll

    After you have killed all of the mljjk.dll and ddcaaxv.dll under winlogon click OK.

    Also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

    Example:

    mljjk.dll
    mljjk.ini
    kjjlm.dll
    kjjlm.ini
    kjjlm.reg etc

    or

    ddcaaxv.dll
    ddcaaxv.ini
    vxaacdd.dll
    vxaacdd.bak
    vxaacdd.ini

    etc

    Next double click on explorer.exe and again click once on each instance of mljjk.dll and ddcaaxv.dll then click the kill button.

    Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples

    Click on the Threads tab at the top.

    Once you have done that, click OK again and Close the program.

    Then
    Open Notepad and copy and paste quote boxes text:
    file::
    C:\WINDOWS\system32\kjjlm.ini
    C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\ddcaaxv.dll

    Save to nameCFScript

    Then drag and drop CFScript to ComboFix.exe As shows below.

    CFScript.gif

    Reboot your comp and send contens off combofix.txt file to responce.

    Send a fresh hijackthis log too :D
  • impala_400
    edited July 2007
    "yvonneadmin" - 2007-07-24 13:16:05 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\yvonneadmin\Desktop\CFScript.txt

    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

    C:\WINDOWS\system32\mljjk.dll

    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    C:\WINDOWS\system32\ddcaaxv.dll
    C:\WINDOWS\system32\mljjk.dll
    C:\WINDOWS\system32\mljjk.dll

    ((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))

    2007-07-24 10:58 51,200 --a
    C:\WINDOWS\nircmd.exe
    2007-07-23 10:00 <DIR> d
    C:\Program Files\iTunes
    2007-07-23 09:34 <DIR> d
    C:\Program Files\QuickTime
    2007-07-23 09:20 <DIR> d
    C:\Program Files\Common Files\Apple
    2007-07-23 09:20 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
    2007-07-22 20:28 <DIR> d
    C:\DOCUME~1\YVONNE~1\.housecall6.6
    2007-07-20 16:57 <DIR> d
    C:\VundoFix Backups
    2007-07-20 13:58 <DIR> d
    C:\DOCUME~1\YVONNE~1\DoctorWeb
    2007-07-19 22:47 <DIR> d
    C:\Program Files\Enigma Software Group
    2007-07-19 22:35 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
    2007-07-19 17:30 4,980,736 --a
    C:\DOCUME~1\GARYUS~1\ntuser.dat
    2007-07-19 17:30 1,118,208 --a
    C:\DOCUME~1\LOCALS~1\ntuser.dat
    2007-07-18 22:53 <DIR> d
    C:\WINDOWS\BDOSCAN8
    2007-07-18 17:14 <DIR> d
    C:\DOCUME~1\GARYUS~1\APPLIC~1\Bitdefender
    2007-07-18 16:07 <DIR> d
    C:\DOCUME~1\YVONNE~1\APPLIC~1\Bitdefender
    2007-07-18 15:42 81,984 --a
    C:\WINDOWS\system32\bdod.bin
    2007-07-18 15:34 <DIR> d
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
    2007-07-18 15:27 23,453,792 --a
    C:\bitdefender_av_v10.exe
    2007-07-16 22:32 <DIR> d
    C:\Temp\brr
    2007-07-07 21:12 40,960 --a
    C:\WINDOWS\system32\SSubTmr6.dll
    2007-07-07 21:12 118,784 --a
    C:\WINDOWS\system32\vbalNCSM6.dll
    2007-07-07 21:02 286,720 --a
    C:\WINDOWS\iun506.exe
    2007-07-07 21:01 <DIR> d
    C:\Program Files\Ultimate Pinball

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2007-07-23 15:01:17
    d
    w C:\Program Files\iPod
    2007-07-20 20:21:47
    d
    w C:\Program Files\RAdmin
    2007-07-08 02:11:30
    d
    w C:\Program Files\eGames
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-04 23:14:13 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2001-08-23 15:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
    2004-08-04 05:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
    2004-08-04 05:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
    2004-08-04 05:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
    2004-08-04 05:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
    2004-08-04 05:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
    2004-08-04 05:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-07-19 10:02]
    "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "FireMole Client"=
    "FMC"=
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-02-16 20:26:32]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaaxv]
    ddcaaxv.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=sockspy.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 700 series) - 1.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 700 series) - 1.lnk
    backup=C:\WINDOWS\pss\HPAiODevice(hp psc 700 series) - 1.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
    C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]
    C:\Program Files\Cingular\Communication Manager\CingularCCM.exe -a
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireMole-client]
    C:\WINDOWS\FMC.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\System32\hkcmd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\System32\igfxtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
    LTMSG.exe 7
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    C:\Program Files\Microsoft Works\wkfud.exe
    R1 bdpredir;bdpredir;\??\C:\Program Files\Softwin\BitDefender10\bdpredir.sys
    R3 dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
    R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    R3 Dot4Scan;Scan Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
    R3 dot4usb;Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    R3 ltmodem5;Agere Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
    S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
    S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
    S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
    S3 usbser;Motorola USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
    S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

    Contents of the 'Scheduled Tasks' folder
    2007-07-23 14:02:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-07-24 18:06:03 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
    2007-07-20 03:35:25 C:\WINDOWS\tasks\Pareto UNS.job
    **************************************************************************
    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-24 13:25:16
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden registry entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Completion time: 2007-07-24 13:27:04 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-24 13:26
    C:\ComboFix2.txt ... 2007-07-24 12:09
    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 1:29:49 PM, on 7/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKLM\..\RunServices: [FireMole Client]
    O4 - HKLM\..\RunServices: [FMC]
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c0d0c52745fb473aabd2b493e4700862
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c0d0c52745fb473aabd2b493e4700862
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.0.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158003890437
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramunrising/sis/mjolauncher.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
    O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by118fd.bay118.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: ddcaaxv - ddcaaxv.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Bravo, excellent work :D

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


    Scan hijackthis and check :

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O20 - Winlogon Notify: ddcaaxv - ddcaaxv.dll (file missing)

    Close other programs and click fix checked.

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Once in Safe Mode:

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scanavgjk2.jpg
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware report.
  • NuppiNuppi South Ostrobothnia (Finland)
    edited August 2007
    Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

    Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the [url="http://icrontic.com/forum/forumdisplay.php?f=57]Spyware & Virus Removal Forum[/url]

    If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
    If you are not the user who started this thread, you must start a new Thread instead :)
Sign In or Register to comment.