Free Malware Removal Forum

[firebrand]

Hello,

Since my usual limited bag of tricks haven't killed off this Trojan, I could use a more knowledgeable set of eyes to guide me. Spybot always finds it, but it loads on the reboot I guess. AVG misses it or has it in the vault, which I cleaned out thinking it was escaping somehow. Ad-Aware is not loading/starting up now with today's update, wonder if it could be related. Previously, Ad-Aware was running but getting hung up in an unnamed (conditional?) folder about 8 minutes into the scan (almost completed with it) and then not responsive.

It would seem WinAble needs to go from the Hijack This scan, but beyond that I don't know. Win32.small.azl and Virtumonde are the 2 nasties I see on Spybot, and Virtumonde is not always there, but Win32 is. So we know one and a half perps, wondering who else is out there I don't recognize.

Hope I have given you enough info here to work with, my apologies if not. My first time using a site like this.

Thank you,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:56 AM, on 11/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HiJackThis.exe

O2 - BHO: (no name) - {09985909-06B9-4005-A4CF-1C9C6E1690AA} - C:\Program Files\PLUS!\meposybi4444.dll
O2 - BHO: 0 - {0CFCC577-EA60-4A9C-8980-BB486556BA61} - C:\Program Files\Common Files\quba.dll (file missing)
O2 - BHO: (no name) - {49D35D4F-4738-41FE-A616-77D4947520AA} - C:\WINNT\system32\jkkkl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINNT\system32\yayywvu.dll (file missing)
O2 - BHO: (no name) - {8652D896-3C1F-4182-9400-B172A853AE58} - C:\Program Files\PLUS!\meposybi83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {e1cc1e50-61cd-4a83-9efe-21484afae00d} - C:\WINNT\system32\ktcsuwj.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [431010bd] rundll32.exe "C:\WINNT\system32\nwgbbdjq.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: yayywvu - yayywvu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4616 bytes

[markamus]

Welcome to Malware Removal Forums!! My name is markamus, and I will be helping you with your HJT log. Please take note of the following while we are working together:

• I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

I am currently reviewing your log and will have a reply shortly.

Thanks,

markamus

[markamus]

Hi firebrand,

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Thanks,

markamus

[firebrand]

Hi markamus,

Thank you for your assistance.

I downloaded Vundofix awhile back and did find Vundo/Virtumonde, which was removed, but I guess the other one lets it back into my system. When I run this scan, it says "searching for files" and never gets past a file called DMUSIC.SYS. Not sure if this is normal, so that is why I mention. Then it finishes scan after a bit and says no infected files found. I am certain Spybot would find the file/(Trojan?) I used as the subject of my post, but that is all I have running detecting it. It has found it every scan, but it always comes back.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 6:45:50 PM 10/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 7:06:05 PM 10/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 8:21:47 PM 10/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 8:43:54 PM 10/30/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 12:25:37 AM 10/31/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 10:09:38 AM 11/5/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 12:25:20 AM 11/6/2007
Listing files found while scanning....

C:\WINNT\system32\nizkqfwi.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\nizkqfwi.dll
C:\WINNT\system32\nizkqfwi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 10:11:39 AM 11/6/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 10:28:45 AM 11/7/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 7:04:12 PM 11/11/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 9:46:06 PM 11/12/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 8:48:47 PM 11/29/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.11
Checking Java version...
Sun Java not detected
Scan started at 9:55:41 AM 12/4/2007
Listing files found while scanning....
No infected files were found.

Here is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:59 AM, on 12/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\BrmfRmPA.exe
C:\Hijack This\HiJackThis.exe

O2 - BHO: (no name) - {09985909-06B9-4005-A4CF-1C9C6E1690AA} - C:\Program Files\PLUS!\meposybi4444.dll (file missing)
O2 - BHO: 0 - {0CFCC577-EA60-4A9C-8980-BB486556BA61} - C:\Program Files\Common Files\quba.dll (file missing)
O2 - BHO: (no name) - {49D35D4F-4738-41FE-A616-77D4947520AA} - C:\WINNT\system32\jkkkl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINNT\system32\yayywvu.dll (file missing)
O2 - BHO: (no name) - {8652D896-3C1F-4182-9400-B172A853AE58} - C:\Program Files\PLUS!\meposybi83122.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {e1cc1e50-61cd-4a83-9efe-21484afae00d} - C:\WINNT\system32\ktcsuwj.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [431010bd] rundll32.exe "C:\WINNT\system32\nwgbbdjq.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: yayywvu - yayywvu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4704 bytes

[markamus]

Hi firebrand,

Step 1: We need to temporarily disable Spybot's TeaTimer as it may interfere with some of the fix. We will re-enable it once your system is all clean.
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
----------------------------------------------------------------------------------------------

Step 2: 1. Download this file - combofix.exe and save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
----------------------------------------------------------------------------------------------

Step 3: Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) Do NOT run this tool yet.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

---------------------------------------------------------------------------------------------------------------------

In your next reply, please include the following:

1. The Combofix log
2. The SDFix log
3. A fresh HijackThis log

If the post is too long, you can split the results into 2 or more separate posts.

Thanks,

markamus

[firebrand]

Sorry it has taken me longer to get this back to you than I hoped. On the Combofix program, I am not sure if it completes, I noticed it reboots rapidly after a quick flash blue screen, like a memory dump or something, it is too quick to read what it says is the reason. Hopefully it went all the way through to completion. I also reran today but don't see that one, only yesterday's is in my computer. Hope that doesn't matter.

ComboFix 07-12-02.6 - bjdonis 2007-12-04 13:01:47.3 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Desktop\Live Safety Center.lnk
C:\Documents and Settings\bjdonis\Desktop\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINNT\system32\a1
C:\WINNT\system32\bthnngid.dll
C:\WINNT\system32\g2
C:\WINNT\system32\g2\caws83122.exe
C:\WINNT\system32\h1
C:\WINNT\system32\ktcsuwj.dll
C:\WINNT\system32\lkkkj.bak1
C:\WINNT\system32\lkkkj.bak2
C:\WINNT\system32\lkkkj.ini
C:\WINNT\system32\nizkqfwi.dllbox
C:\WINNT\system32\pac.txt
C:\WINNT\system32\r2
C:\WINNT\system32\v8
C:\WINNT\system32\v8\taldrvr11.exe
C:\WINNT\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR




((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 13:02 . 07-12-04 13:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-03 17:52 642,752 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:49 . 07-11-07 10:19 136 --ah----- C:\aaw7boot.cmd
2007-11-06 11:48 . 07-11-06 11:48 <DIR> dr-h----- C:\$VAULT$.AVG
2007-11-06 11:32 . 07-11-06 11:32 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 11:31 . 07-11-06 11:31 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 11:30 . 07-11-06 11:30 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 00:27 . 07-11-06 00:27 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-11-05 23:59 . 07-11-11 10:08 589,626 ---hs---- C:\WINNT\system32\qjdbbgwn.ini
2007-11-05 23:59 . 07-11-05 23:59 294 ---hs---- C:\WINNT\system32\jtpxgnvs.ini
2007-11-04 13:36 . 07-11-04 13:36 <DIR> d--hs---- C:\WINNT\Ympkb25pcw
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp\mZOr
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:15 246 ----a-w C:\Program Files\Common Files\quba
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\dllcache\user32.dll
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rteke.html
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.
C:\WINNT\system32\user32.dll ... is infected !! (additional data below)
403,216 2007-10-30 19:57:40 C:\WINNT\system32\user32.dll
403,216 2007-10-30 19:57:40 C:\WINNT\system32\dllcache\user32.dll
403,216 2003-06-19 20:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
yayywvu.dll




SDFix: Version 1.116

Run by bjdonis on Wed 2007-12-05 at 15:55

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\COMMON~1\RTEKE~1.HTM - Deleted
C:\PROGRA~1\COMMON~1\QUBA - Deleted




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 16:03:42
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 23 Apr 1999 93,890 ..SH. --- "C:\COMMAND.COM"
Fri 23 Apr 1999 53,248 ...H. --- "C:\Program Files\Accessories\mspcx32.dll"

Finished!

[firebrand]

Here's 12/5 Hijack This log, thanks markamus!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08, on 2007-12-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\Hijack This\HiJackThis.exe

O2 - BHO: (no name) - {09985909-06B9-4005-A4CF-1C9C6E1690AA} - C:\Program Files\PLUS!\meposybi4444.dll (file missing)
O2 - BHO: 0 - {0CFCC577-EA60-4A9C-8980-BB486556BA61} - C:\Program Files\Common Files\quba.dll (file missing)
O2 - BHO: (no name) - {49D35D4F-4738-41FE-A616-77D4947520AA} - C:\WINNT\system32\jkkkl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8652D896-3C1F-4182-9400-B172A853AE58} - C:\Program Files\PLUS!\meposybi83122.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [431010bd] rundll32.exe "C:\WINNT\system32\nwgbbdjq.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O20 - Winlogon Notify: yayywvu - yayywvu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3923 bytes

[markamus]

Hi firebrand,

Your Combofix log is incomplete as posted. I will need to see the entire log. The saved text file should be located at C:\Combofix.txt. When you open the text file, press Ctrl + A to select the entire text, Ctrl + C to copy it and Ctrl + V to paste it here as a reply to this post.

Also, it appears that there have been 2 previous runs of Combofix on this PC. I will also need to see the first 2 runs. These should still be saved as C:\Combofix2.txt and C:\Combofix3.txt. Repeat the above process to post all 3 Combofix logs here for me to see. If your reply is too long, you can split it into two or more posts.

Thanks,

markamus

[firebrand]

I may have deleted the first ComboFix I ran, I only see the 2, 10/31 and 12/04, plus the one that quarantines something, I included that in the middle. The latter one I ran doesn't complete, it drops the memory or something and reboots before completion, so that is all that is in the text file. I will try again now after shutting as much off as I can and see if I can get it to complete the scan.


ComboFix 07-10-29.1 - bjdonis 10/31/2007 0:33:58.1 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Local Settings\Temporary Internet Files\Content.IE5\E1YH4NK7\ComboFix[1].exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Microsoft Security Adviser
C:\WINNT\Help\access.hlp
C:\WINNT\Help\verifier.hlp
C:\WINNT\sys.log
C:\WINNT\system32\drivers\atmapi.sys
C:\WINNT\system32\nvrssl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-31 00:32 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-31 00:01 <DIR> d-------- C:\New Folder
2007-10-31 00:00 <DIR> d-------- C:\Hijack This
2007-10-30 20:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-30 18:53 1,270 --a------ C:\WINNT\system32\tmp.reg
2007-10-30 18:45 <DIR> d-------- C:\VundoFix Backups
2007-10-30 13:57 403,216 --a------ C:\WINNT\system32\dllcache\user32.dll
2007-10-30 13:57 178,688 --a------ C:\syswpsv.exe
2007-10-30 13:52 27,136 --a------ C:\WINNT\shwol.dll
2007-09-30 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-20 22:10 <DIR> d-------- C:\Program Files\Citrix
2007-09-20 22:10 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\ICAClient
2007-09-20 22:06 46,744 --a------ C:\WINNT\system32\drivers\odptdi.sys
2007-09-20 22:05 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\Aventail

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-08-15 15:16 5,166 --sh--w C:\SUHDLOG.DAT
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2007-08-14 15:36 45,056 --sha-w C:\VIDEOROM.BIN
2007-07-31 01:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 01:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 01:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 01:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 01:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 01:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 01:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 01:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 01:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2003-06-19 20:05 403,216 ----a-w C:\WINNT\system32\irtexqb
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
C:\WINNT\system32\user32.dll ... is infected !! (additional data below)
403,216 2007-10-30 19:57:40 C:\WINNT\system32\user32.dll
403,216 2007-10-30 19:57:40 C:\WINNT\system32\dllcache\user32.dll
403,216 2003-06-19 20:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 01:04 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 Odptdi;Odptdi;\??\C:\WINNT\system32\drivers\odptdi.sys
R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R3 chips;chips;C:\WINNT\system32\DRIVERS\chipsm5.sys
R3 ess;ESS Audio Driver (WDM);C:\WINNT\system32\drivers\ess.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 00:45:03
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 0:46:22 - machine was rebooted
.
--- E O F ---

Code: Select all

07-10-30 13:57       142848    --a------    C:\Qoobox\Quarantine\C\WINNT\system32\nvrssl.dll.vir
07-10-30 13:58       106    --a------    C:\Qoobox\Quarantine\C\WINNT\sys.log.vir
07-10-30 14:25       218    --a------    C:\Qoobox\Quarantine\C\WINNT\system32\drivers\atmapi.sys.vir
07-10-30 14:25       56832    --a------    C:\Qoobox\Quarantine\C\WINNT\Help\access.hlp.vir
07-10-30 14:25       61440    --a------    C:\Qoobox\Quarantine\C\WINNT\Help\verifier.hlp.vir


Folder PATH listing
Volume serial number is 0006FE80 4310:1012
C:\QOOBOX\QUARANTINE
+---Registry_backups
\---C
    \---WINNT
        |   sys.log.vir
        |   
        +---Help
        |       access.hlp.vir
        |       verifier.hlp.vir
        |       
        \---system32
            |   nvrssl.dll.vir
            |   
            \---drivers
                    atmapi.sys.vir
                    

ComboFix 07-12-02.6 - bjdonis 2007-12-04 13:01:47.3 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Desktop\Live Safety Center.lnk
C:\Documents and Settings\bjdonis\Desktop\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINNT\system32\a1
C:\WINNT\system32\bthnngid.dll
C:\WINNT\system32\g2
C:\WINNT\system32\g2\caws83122.exe
C:\WINNT\system32\h1
C:\WINNT\system32\ktcsuwj.dll
C:\WINNT\system32\lkkkj.bak1
C:\WINNT\system32\lkkkj.bak2
C:\WINNT\system32\lkkkj.ini
C:\WINNT\system32\nizkqfwi.dllbox
C:\WINNT\system32\pac.txt
C:\WINNT\system32\r2
C:\WINNT\system32\v8
C:\WINNT\system32\v8\taldrvr11.exe
C:\WINNT\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR




((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 13:02 . 07-12-04 13:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-03 17:52 642,752 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:49 . 07-11-07 10:19 136 --ah----- C:\aaw7boot.cmd
2007-11-06 11:48 . 07-11-06 11:48 <DIR> dr-h----- C:\$VAULT$.AVG
2007-11-06 11:32 . 07-11-06 11:32 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 11:31 . 07-11-06 11:31 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 11:30 . 07-11-06 11:30 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 00:27 . 07-11-06 00:27 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-11-05 23:59 . 07-11-11 10:08 589,626 ---hs---- C:\WINNT\system32\qjdbbgwn.ini
2007-11-05 23:59 . 07-11-05 23:59 294 ---hs---- C:\WINNT\system32\jtpxgnvs.ini
2007-11-04 13:36 . 07-11-04 13:36 <DIR> d--hs---- C:\WINNT\Ympkb25pcw
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp\mZOr
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:15 246 ----a-w C:\Program Files\Common Files\quba
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\dllcache\user32.dll
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rteke.html
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.
C:\WINNT\system32\user32.dll ... is infected !! (additional data below)
403,216 2007-10-30 19:57:40 C:\WINNT\system32\user32.dll
403,216 2007-10-30 19:57:40 C:\WINNT\system32\dllcache\user32.dll
403,216 2003-06-19 20:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
yayywvu.dll

This is the last entry when I do the Cntrl A.

[firebrand]

Markamus,

I got the quick flash blue screen again, (tried twice now), when running Combofix again. It appears after it has checked the files and is preparing the log report, and the icons have come back onto the desktop. I really can't read what it says it flashes so fast, but something about a memory dump I think. On the reboot, it checks the hard drive. I did my best here to put down what it is saying:

Combofix\whitedirB.dat First allocation until not valid, the entry will be truncated
Combofix\zhsvc.dat First allocation "..."
(I believe Combofix\)notifykeys.dat, crosslinked allocation unit 132318
Cfiles.dat
Cfolders.dat Both of these say 1st allocation unit not valid, entry truncated as well
(Combofix\)borlander_file.dat
(Combofix\)borlander_folder.dat Both say 1st allocation unit not valid.

Not sure if this is helpful, but I guess this is why the report is not complete. Any ideas how to get around this I will be happy to try so you can get a full report. Should I run in safe mode?

firebrand

[markamus]

Hi firebrand,

Open Notepad (not Wordpad) and copy and paste the contents of the following quote box into it:

Code: Select all

@echo off
delete /q C:\WINNT\system32\dllcache\user32.dll
rename C:\WINNT\system32\user32.dll user32.dll.vir 
copy C:\WINNT\ServicePackFiles\i386\user32.dll C:\WINNT\system32
exit

1. Click on File, then Save as.
2. Save it to your Desktop.
3. In the File Name field, enter del.bat
4. In the Save as Type field, select All files.
5. Press the Save button.
6. On your Desktop, double click on the newly created del.bat. A window will open and close. This is normal.

Once this has been done, reboot your PC normally, then run another scan with ComboFix and post the results as a reply here.

Thanks,

markamus

[firebrand]

Hi markamus,

I performed the routine you outlined; it still dumps the stack, or whatever, and gives me a fast blue screen and automatic reboot. It then checks the disk on the reboot. I do see a 12/7 combofix log, although it doesn't appear complete either. Here it is, hopefully it has enough for you, if not, let me know what else to do to get you this complete log.

I will try doing this again after posting this, if I get a different result I will follow up shortly, I anticipate the same result.

ComboFix 07-12-02.6 - bjdonis 2007-12-07 10:57:43.7 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-07 10:57 . 07-12-07 10:57 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_354.dat
2007-12-06 13:33 . 07-12-06 13:33 <DIR> d-------- C:\FOUND.004
2007-12-06 13:26 . 07-12-06 13:26 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_390.dat
2007-12-06 13:20 . 07-12-06 13:20 <DIR> d-------- C:\FOUND.003
2007-12-06 13:14 . 07-12-06 13:14 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_358.dat
2007-12-05 15:55 . 07-12-05 15:55 <DIR> d-------- C:\WINNT\ERUNT
2007-12-05 15:41 . 07-12-05 15:41 <DIR> d-------- C:\FOUND.002
2007-12-05 15:35 . 07-12-05 15:35 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-12-04 13:08 . 07-12-04 13:08 <DIR> d-------- C:\FOUND.001
2007-12-04 13:02 . 07-12-04 13:02 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-05 16:20 740,948 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:49 . 07-11-07 10:19 136 --ah----- C:\aaw7boot.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:32 --------- d-----w C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 17:31 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 17:30 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 06:27 24,576 ----a-w C:\WINNT\system32\VundoFixSVC.exe
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll.vir
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
yayywvu.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 Odptdi;Odptdi;\??\C:\WINNT\system32\drivers\odptdi.sys
R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R3 chips;chips;C:\WINNT\system32\DRIVERS\chipsm5.sys
R3 ess;ESS Audio Driver (WDM);C:\WINNT\system32\drivers\ess.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys

.
.exe
C:\Program Files\sofatoolbar\sofa.dll
C:\Program Files\sound.exe
C:\Program Files\spiider.exe
C:\Program Files\svchost.exe
C:\Program Files\svhost32.exe
C:\Program Files\system\cdrom.exe
C:\Program Files\system\flash.exe
C:\Program Files\system\windows32.exe
C:\Program Files\system1.exe
C:\Program Files\tasks.exe
C:\Program Files\tclock\tclock_install.exe
C:\Program Files\temp.tmp
C:\Program Files\tes\bhoplugin.dll
C:\Program Files\test\bhoplugin.dll
C:\Program Files\toolbar888\mytoolbar.dll
C:\Program Files\tshz093.exe
C:\Program Files\ttx.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\udll.exe
C:\Program Files\update.exe
C:\Program Files\updates\keygen.exe
C:\Program Files\version.txt
C:\Program Files\videoplugin\uninstall.exe
C:\Program Files\vttimers.exe
C:\Program Files\wapp.exe
C:\Program Files\widows.exe
C:\Program Files\winantiviruspro2006scannerinstall.exe
C:\Program Files\windows media player\hosecut
C:\Program Files\windows media player\hosecut.dll
C:\Program Files\windows\winupdate.exe
C:\Program Files\windows\wwinupdate.exe
C:\Program Files\windows32.exe
C:\Program Files\winfixer2005install.exe
C:\Program Files\winini.exe
C:\Program Files\wm2emt.exe
C:\Program Files\wmplay.exe
C:\Program Files\wss.dll
C:\Program Files\x.bmp
C:\WINNT\system32\-20754.exe
C:\WINNT\system32\ systemi.exe
C:\WINNT\system32\ two1.exe
C:\WINNT\system32\$drvnam$.dat
C:\WINNT\system32\hcopy.tmp
C:\WINNT\system32\~hcopy.tmp
C:\WINNT\system32\~haltmid.dr
C:\WINNT\system32\~my1a.tmp
C:\WINNT\system32\000.txt
C:\WINNT\system32\000060ea.dat
C:\WINNT\system32\01sjhb17.exe
C:\WINNT\system32\0mcamcap.exe
C:\WINNT\system32\0x57.exe
C:\WINNT\system32\100setup.exe
C:\WINNT\system32\1010s.exe
C:\WINNT\system32\1025\up.exe
C:\WINNT\system32\1036live.exe
C:\WINNT\system32\11.exe
C:\WINNT\system32\1201
C:\WINNT\system32\1512.exe
C:\WINNT\system32\15448.exe
C:\WINNT\system32\180ax.exe
C:\WINNT\system32\1ufka8igg.dll
C:\WINNT\system32\2020search.dll
C:\WINNT\system32\2236_28.dll
C:\WINNT\system32\27
C:\WINNT\system32\2934.exe
C:\WINNT\system32\2search.exe
C:\WINNT\system32\3000netbish.exe
C:\WINNT\system32\300ra.exe
C:\WINNT\system32\33.exe
C:\WINNT\system32\360safe.exe
C:\WINNT\system32\44.exe
C:\WINNT\system32\57sex109.exe
C:\WINNT\system32\6666.com
C:\WINNT\system32\7073cafi.exe
C:\WINNT\system32\764.exe
C:\WINNT\system32\7dp7.dll
C:\WINNT\system32\928bbf8f.exe
C:\WINNT\system32\93_app13.exe
C:\WINNT\system32\a.exe
C:\WINNT\system32\a3dx8.dll
C:\WINNT\system32\a3dxq.dll
C:\WINNT\system32\a3dxx.dll
C:\WINNT\system32\aaa.exe
C:\WINNT\system32\aaa00000.dll
C:\WINNT\system32\aaa00000.sys
C:\WINNT\system32\abcdefgh.dll
C:\WINNT\system32\accinet.exe
C:\WINNT\system32\acczixp.dll
C:\WINNT\system32\acss.dll
C:\WINNT\system32\acvgxw.dll
C:\WINNT\system32\acwfs4t2.exe
C:\WINNT\system32\ad.html
C:\WINNT\system32\ad812.exe
C:\WINNT\system32\adal.cng
C:\WINNT\system32\adapis.dat
C:\WINNT\system32\addrconfig.bin
C:\WINNT\system32\adinfo.bin
C:\WIN

[firebrand]

Looks like my 2nd running this morning gets less than the 1st:

ComboFix 07-12-02.6 - bjdonis 2007-12-07 11:42:42.8 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-07 11:05 . 07-12-07 11:05 <DIR> d-------- C:\FOUND.005
2007-12-07 10:57 . 07-12-07 11:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_354.dat
2007-12-06 13:33 . 07-12-06 13:33 <DIR> d-------- C:\FOUND.004
2007-12-06 13:26 . 07-12-06 13:26 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_390.dat
2007-12-06 13:20 . 07-12-06 13:20 <DIR> d-------- C:\FOUND.003
2007-12-06 13:14 . 07-12-06 13:14 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_358.dat
2007-12-05 15:55 . 07-12-05 15:55 <DIR> d-------- C:\WINNT\ERUNT
2007-12-05 15:41 . 07-12-05 15:41 <DIR> d-------- C:\FOUND.002
2007-12-05 15:35 . 07-12-05 15:35 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-12-04 13:08 . 07-12-04 13:08 <DIR> d-------- C:\FOUND.001
2007-12-04 13:02 . 07-12-04 13:02 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-07 11:22 741,266 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:49 . 07-11-07 10:19 136 --ah----- C:\aaw7boot.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:32 --------- d-----w C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 17:31 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 17:30 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 06:27 24,576 ----a-w C:\WINNT\system32\VundoFixSVC.exe
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll.vir
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[markamus]

Hi firebrand,

Download the newest Beta version of Combofix from one of the following mirrors:
http://download.bleepingcomputer.com/sU ... mboFix.exe
http://www.forospyware.com/sUBs/Beta/ComboFix.exe
http://subs.geekstogo.com/Beta/ComboFix.exe

Run a fresh scan with the new Combofix and post back with the contents of the scan.

Thanks,

markamus

[firebrand]

That seems to have worked this time, did not force a reboot. I ran Spybot last night and it did not find the Win32 file or Virtumonde, just tracking cookies. AVG found some stuff today though, but did not tell me it was serious.


ComboFix 07-12-09.1 - bjdonis 2007-12-08 15:42:25.9 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix(3).exe
.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-08 15:42 . 07-12-08 15:42 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_128.dat
2007-12-07 11:50 . 07-12-07 11:50 <DIR> d-------- C:\FOUND.006
2007-12-07 11:05 . 07-12-07 11:05 <DIR> d-------- C:\FOUND.005
2007-12-07 10:57 . 07-12-07 11:43 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_354.dat
2007-12-06 13:33 . 07-12-06 13:33 <DIR> d-------- C:\FOUND.004
2007-12-06 13:26 . 07-12-06 13:26 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_390.dat
2007-12-06 13:20 . 07-12-06 13:20 <DIR> d-------- C:\FOUND.003
2007-12-06 13:14 . 07-12-06 13:14 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_358.dat
2007-12-05 15:55 . 07-12-05 15:55 <DIR> d-------- C:\WINNT\ERUNT
2007-12-05 15:41 . 07-12-05 15:41 <DIR> d-------- C:\FOUND.002
2007-12-05 15:35 . 07-12-05 15:35 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-12-04 13:08 . 07-12-04 13:08 <DIR> d-------- C:\FOUND.001
2007-12-04 13:02 . 07-12-04 13:02 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-07 15:53 741,310 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 16:19 136 ---ha-w C:\aaw7boot.cmd
2007-11-06 17:32 --------- d-----w C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 17:31 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 17:30 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 06:27 24,576 ----a-w C:\WINNT\system32\VundoFixSVC.exe
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll.vir
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
yayywvu.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 Odptdi;Odptdi;\??\C:\WINNT\system32\drivers\odptdi.sys
R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R3 chips;chips;C:\WINNT\system32\DRIVERS\chipsm5.sys
R3 ess;ESS Audio Driver (WDM);C:\WINNT\system32\drivers\ess.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys

.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 15:45:52
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 15:46:55
C:\ComboFix2.txt ... 07-10-31 00:46
.
--- E O F ---