Troj vundo.atm is killing my labtop

**Janna911** · March 25th, 2008, 08:18 PM

Hi all
I'm new here and I've a problem
troj vundo.atm is found on my PC
PC-cillin and avira detected it but were unable to remove or quarantine it.
It infected file named mllmjm.dll
I wasn't able to delete the file even in the safe mode because it is 'in use'
Please help me my labtop is dying
thanks in advance

**Broni** · March 25th, 2008, 11:06 PM

Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebyt...are_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

**Janna911** · March 26th, 2008, 06:02 AM

I have aproblem when trying to install superspayware
a message appears :
the Adminstrator system has set policies to prevent this installation
:'( what can I do

**Janna911** · March 26th, 2008, 01:20 PM

http://www.superantispyware.com

Generated 03/26/2008 at 01:21 PM

Application Version : 4.0.1154

Core Rules Database Version : 3425
Trace Rules Database Version: 1417

Scan type : Complete Scan
Total Scan Time : 00:45:17

Memory items scanned : 480
Memory threats detected : 2
Registry items scanned : 6662
Registry threats detected : 27
File items scanned : 24651
File threats detected : 263

Trojan.Unclassified/AffiliateBundle
C:\WINDOWS\SYSTEM32\NNNKHHG.DLL
C:\WINDOWS\SYSTEM32\NNNKHHG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11241072-58BB-40CE-9171-0B2BDFB22E97}
HKCR\CLSID\{11241072-58BB-40CE-9171-0B2BDFB22E97}
HKCR\CLSID\{11241072-58BB-40CE-9171-0B2BDFB22E97}\InprocServer32
HKCR\CLSID\{11241072-58BB-40CE-9171-0B2BDFB22E97}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{11241072-58BB-40CE-9171-0B2BDFB22E97}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnnkhhg
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035652.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLLMJ.DLL
C:\WINDOWS\SYSTEM32\MLLMJ.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{7EDB8108-0681-49BB-A0C3-93A10AB57656}
HKCR\CLSID\{7EDB8108-0681-49BB-A0C3-93A10AB57656}
HKCR\CLSID\{7EDB8108-0681-49BB-A0C3-93A10AB57656}\InprocServer32
HKCR\CLSID\{7EDB8108-0681-49BB-A0C3-93A10AB57656}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7EDB8108-0681-49BB-A0C3-93A10AB57656}

Adware.MyWebSearch
HKU\S-1-5-21-1659004503-776561741-839522115-1005\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Trojan.Unclassified-Packed/Suspicious
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}#AppID
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\InprocServer32
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\InprocServer32#ThreadingModel
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\ProgID
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\TypeLib
HKCR\CLSID\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\VersionIndependentProgID
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBINST.DLL

Adware.Tracking Cookie
C:\Documents and Settings\New account 3 marra\Cookies\new account 3 marra@mywebsearch[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adnetserver[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\DELL\Cookies\[email protected][2].txt
C:\Documents and Settings\DELL\Cookies\dell@casalemedia[2].txt
C:\Documents and Settings\DELL\Cookies\dell@revsci[2].txt
C:\Documents and Settings\DELL\Cookies\dell@tacoda[1].txt
C:\Documents and Settings\DELL\Cookies\dell@adinterax[2].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][2].txt
C:\Documents and Settings\DELL\Cookies\dell@advertising[2].txt
C:\Documents and Settings\DELL\Cookies\dell@adbrite[2].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][2].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\dell@statcounter[2].txt
C:\Documents and Settings\DELL\Cookies\dell@2o7[1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][2].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\dell@atdmt[2].txt
C:\Documents and Settings\DELL\Cookies\dell@burstnet[1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\dell@fastclick[1].txt
C:\Documents and Settings\DELL\Cookies\dell@mediaplex[1].txt
C:\Documents and Settings\DELL\Cookies\dell@realmedia[1].txt
C:\Documents and Settings\DELL\Cookies\dell@overture[1].txt
C:\Documents and Settings\DELL\Cookies\[email protected][1].txt
C:\Documents and Settings\DELL\Cookies\dell@tribalfusion[1].txt
C:\Documents and Settings\DELL\Cookies\dell@zedo[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@smileycentral[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][3].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@pro-market[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adserver[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adserver[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@waz-warez[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@clicktorrent[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@tacoda[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@casalemedia[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adbrite[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@tripod[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@specificclick[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@revsci[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@mediaconverter[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@warezreleases[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@overture[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@realmedia[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@linksynergy[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@questionmarket[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@fastclick[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@banners[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@socialmedia[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@bluestreak[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@atwola[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@247realmedia[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@apmebf[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@media4all[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@revenue[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@yadro[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@newmediaexplorer[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@doubleclick[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@mediaplex[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@azjmp[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@atdmt[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@clickaider[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@indextools[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@mediafire[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@weborama[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@masternewmedia[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@crackserialkeygen[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@keywordmax[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@findphoto[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@torrent-finder[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@statcounter[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@tribalfusion[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@usenext[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@hotlog[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@hitbox[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@crackserver[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@xiti[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adinterax[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@zedo[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@mywebsearch[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adrevolver[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adlegend[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@alivemedia[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adrevolver[3].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@adtech[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@toplist[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@dealtime[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@maxserving[1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@advertising[1].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@2o7[2].txt
C:\Documents and Settings\Mamdouh\Cookies\mamdouh@spylog[2].txt
C:\Documents and Settings\Mamdouh\Cookies\[email protected][1].txt

Malware.MalwareAlarm
HKCR\MalwareAlarm.WebInstall
HKCR\MalwareAlarm.WebInstall\CLSID
HKCR\MalwareAlarm.WebInstall\CurVer
HKCR\MalwareAlarm.WebInstall.1
HKCR\MalwareAlarm.WebInstall.1\CLSID
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\Program Files\MalwareAlarm

Malware.LocusSoftware Inc/ConfidentSurf
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Salestart [ "C:\Program Files\Common Files\System Doctor\dcmon.exe" ]

Trojan.Smitfraud Variant
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\SYSTEMDOCTOR2006FREEINSTALL.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\M278BO9H\SYSTEMDOCTOR2006FREEINSTALL[1].EXE

Trojan.Unclassified/Rogue-Installer
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2QKDF12Y\_BM1FCMLKDM1FBM9IBV9TYV9RDZFFBWE1CW_C29MDA_BM1FNJGXMTNFNJJIMTE1YTHMN2Y4MTFKYZLINJHMNJGXMTNJZWZMZMZFN2VINDQ0MJNJMZVINDNHY2EZZJQ5YTFJNDRKZTGYZTG_[1].EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2QKDF12Y\_BM1FCMLKDM1FBM9IBV9TYV9RDZFFBWE1CW_C29MDA_BM1FNJGXMTNFNJJIMTE1YTHMN2Y4MTFKYZLINJHMNJGXMTNJZWZMZMZFN2VINDQ0MJNJMZVINDNHY2EZZJQ5YTFJNDRKZTGYZTG_[2].EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2QKDF12Y\_BM1FCMLKDM1FBM9IBV9TYV9RDZFFBWE1CW_C29MDA_BM1FNJGXMTNFNJJIMTE1YTHMN2Y4MTFKYZLINJHMNJGXMTNJZWZMZMZFN2VINDQ0MJNJMZVINDNHY2EZZJQ5YTFJNDRKZTGYZTG_[3].EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2QKDF12Y\_BM1FCMLKDM1FBM9IBV9TYV9RDZFFBWE1CW_CMVNAXN0ZXI_BM1FNJGXMTNFNJJIMTE1YTHMN2Y4MTFKYZLINJHMNJGXMTNJZWZMZMZFN2VINDQ0MJNJMZVINDNHY2EZZJQ5YTFJNDRKZTGYZTG_[1].EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\M278BO9H\_BM1FCMLKDM1FBM9IBV9TYV9RDZFFBWE1CW_C29MDA_BM1FNJGXMTNFNJJIMTE1YTHMN2Y4MTFKYZLINJHMNJGXMTNJZWZMZMZFN2VINDQ0MJNJMZVINDNHY2EZZJQ5YTFJNDRKZTGYZTG_[1].EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP160\A0033309.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP160\A0033314.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP164\A0033404.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP164\A0033415.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035616.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E72E410A-050C-48D9-909B-85E784D9921C}\RP164\A0033414.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\JMLLM.INI
C:\WINDOWS\SYSTEM32\JMLLM.INI2

Trojan.XpUpdate/Fake Alert
C:\WINDOWS\XPUPDATE.EXE

Browser Hijacker.Favorites
D:\OLD\FAVORITES\ONLINE SECURITY TEST.URL
E:\ALL D DRIVE\FAVORITES\ONLINE SECURITY TEST.URL

**Janna911** · March 26th, 2008, 01:22 PM

Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\stats[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\crypt[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\CAPSGZ91.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\lupa[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\ajax[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\Activex[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\errorhandler[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\pbbg[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\CATKCF55.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\CAOPEFSH.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\closebutton[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\window[2].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i607_main[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\buttonbg[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\data[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i53b_btn-overview[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\CA4PGHOJ.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\CACDUB8L.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\spyware[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i701_brd-top-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\checkinput_2[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i53b_t1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\styles[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\managers[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\common[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i701_cor-right-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\kluch[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i701_boton2[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\ax[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\logo2[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i701_bg4[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\CAUVWTYZ.htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\progressbar[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i53b_icon1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i53b_btn-download[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\pbmarker[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i701_spacer[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i701_bg3[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\errorhandler[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i53b_btn-features[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i701_cor-left-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i53b_icon3[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i607_button[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\style_f[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i53b_line2[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\genpass[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\5_swp[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\stats[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i701_line3[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\errorhandler[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i53b_bg1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\cards[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\stats[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i53b_icon5[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i701_pc[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i53b_btn-home[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i53b_boton2[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i53b_brd-bot-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\scan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i701_line2[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i53b_boton4[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i53b_line3[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\managers[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i53b_btn-purchase[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i53b_btn-updates[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i701_boton1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\ajax[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\i701_bg2[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J6BAHYKB\i701_BG[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M278BO9H\i701_line1[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i701_brd-bot-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2QKDF12Y\i53b_brd-top-1[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B8A0QN8T\crypt[2].htm

**Janna911** · March 26th, 2008, 04:29 PM

Database version: 549

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 242582
Time elapsed: 3 hour(s), 1 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\internet explorer\msimg32.dll (Adware.MyWebSearch) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{7543fbd5-2279-4d03-8f29-eb21531fa2fe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{4a3d609a-43b8-4406-b793-84f244246325} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\webinst.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\internet explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035618.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035619.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035620.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035621.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035622.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035623.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035624.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035625.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035626.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035627.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035628.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035629.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035630.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035631.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035632.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035633.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035634.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035635.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035636.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035637.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035638.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035639.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035640.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035641.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035642.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035643.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035644.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035645.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035646.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035647.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035648.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035649.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035650.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E72E410A-050C-48D9-909B-85E784D9921C}\RP171\A0035651.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.

**Janna911** · March 26th, 2008, 05:03 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:50 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\prnsys.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: {834f434d-d70f-f8b9-f454-09af61c9a3fd} - {df3a9c16-fa90-454f-9b8f-f07dd434f438} - C:\WINDOWS\system32\nhjhrskq.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [VistaStart1.3] C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [200d7ad3] rundll32.exe "C:\WINDOWS\system32\etilsxdf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm493YYEG
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a5bbb84a54b84924af4d45b2b9240154
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a5bbb84a54b84924af4d45b2b9240154
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ******* SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: ******* SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635061} (FontDown Class) - http://www.qurancomplex.com/Downloads/FontSmooth.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D15A8A7-84B7-40B6-BD8E-1EAA98D8F4C3}: NameServer = 213.131.65.20,213.131.66.246
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3B8F1F0-A356-4DCB-A952-4CEA13383759}: NameServer = 213.131.65.20,213.131.66.246
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 60F58338 - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11803 bytes

**Janna911** · March 26th, 2008, 05:21 PM

I still have a message that appears when I startup my windows

**Broni** · March 26th, 2008, 06:38 PM

Don't worry about any errors. We're in the middle of your computer cleaning.

**Broni** · March 26th, 2008, 06:51 PM

*** You need to update your Java:
http://java.sun.com/javase/downloads/index.jsp
#4 - Java Runtime Environment (JRE) 6 Update 5
Uninstall all previous versions of Java through Add\Remove.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: {834f434d-d70f-f8b9-f454-09af61c9a3fd} - {df3a9c16-fa90-454f-9b8f-f07dd434f438} - C:\WINDOWS\system32\nhjhrskq.dll (file missing)
- *O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- *O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
- *O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
- *O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
- O4 - HKLM\..\Run: [200d7ad3] rundll32.exe "C:\WINDOWS\system32\etilsxdf.dll",b
- *O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- O4 - Global Startup: Bluetooth.lnk = ?
- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
- *O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
- O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm493YYEG
- O23 - Service: 60F58338 - - (no file)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- etilsxdf.dll, nhjhrskq.dll files from C:\WINDOWS\system32

8. Restart in Normal Mode.

9. Post new HijackThis log.

**Janna911** · March 27th, 2008, 10:20 AM

done
Java Runtime Environment 6 update 5 is now installed to my device
all other versions were removed

**Janna911** · March 27th, 2008, 10:22 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:05 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [VistaStart1.3] C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mamdouh')
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'Mamdouh')
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Mamdouh')
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'Mamdouh')
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mamdouh')
O4 - HKUS\S-1-5-21-1659004503-776561741-839522115-1004\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" (User 'Mamdouh')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-1659004503-776561741-839522115-1004 Startup: PowerReg Scheduler.exe (User 'Mamdouh')
O4 - S-1-5-21-1659004503-776561741-839522115-1004 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Mamdouh')
O4 - S-1-5-21-1659004503-776561741-839522115-1004 User Startup: PowerReg Scheduler.exe (User 'Mamdouh')
O4 - S-1-5-21-1659004503-776561741-839522115-1004 User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Mamdouh')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a5bbb84a54b84924af4d45b2b9240154
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a5bbb84a54b84924af4d45b2b9240154
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ******* SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: ******* SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635061} (FontDown Class) - http://www.qurancomplex.com/Downloads/FontSmooth.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D15A8A7-84B7-40B6-BD8E-1EAA98D8F4C3}: NameServer = 213.131.65.20,213.131.66.246
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3B8F1F0-A356-4DCB-A952-4CEA13383759}: NameServer = 213.131.65.20,213.131.66.246
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11771 bytes

**Janna911** · March 27th, 2008, 10:25 AM

N.B. I didn't checkmark the following because they were not found
he following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: {834f434d-d70f-f8b9-f454-09af61c9a3fd} - {df3a9c16-fa90-454f-9b8f-f07dd434f438} - C:\WINDOWS\system32\nhjhrskq.dll (file missing)

- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

**Broni** · March 27th, 2008, 11:07 PM

Very well

HJT log is clean.

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on. Create new Restore Point.

4. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

6. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

7. Let me know, how your computer is doing.

**Janna911** · March 28th, 2008, 04:37 PM

I don't know how to thank u for your fabulous help
but I'll never forget it
I did all the six steps and here I'm doing the seventh
my computer is doing quite well except for some errors which I don't know if it's related to the infection or not. for example I've double task bar
when I open a window I have two tabs for it in the task bar
also I have an error message (bluetooth device not found)

thanks again for saving my computer
and thanks for your time

Thread: Troj vundo.atm is killing my labtop

Thread Tools

Search Thread

Display

Troj vundo.atm is killing my labtop

SUPERAntiSpyware Scan Log

Malwarebytes' Anti-Malware 1.09

Logfile of Trend Micro HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2

Thread Information

Users Browsing this Thread

Posting Permissions