PDA

View Full Version : Another Virtumonde Thread



Trixel
2008-09-21, 06:34
I tried almost everything to no avail. The pesky trojan keeps popping up. Here is the HJT log with the hopes someone more knowledgeable than me can help out:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:09 PM, on 9/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [44d3ddb4] rundll32.exe "C:\WINDOWS\system32\vvhdrtgs.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: hcuoxg.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

Thanks for the help.

pskelley
2008-09-22, 15:36
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I see no antivirus program running on this computer? It is a waste of your time and mine to clean a computer that will just reinfect. If you need a free program, here are three to choose from, install ONLY one.
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Once you have a program installed, update it and scan the system removing what it finds.

You have posted an out of date HJT log, read the directions and when you have an antivirus program running on the computer post a new HJT log with the updated version of HJT, and I will be glad to see if I can help.

Thanks

Trixel
2008-09-23, 00:01
Installed Norton, found trojans and some tracker cookies. Got rid of them, but ran Spybot and found the virtumonde again. Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:53 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [44d3ddb4] rundll32.exe "C:\WINDOWS\system32\cammfulu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - AppInit_DLLs: ,orjphq.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 5137 bytes


Thanks for your help.

pskelley
2008-09-23, 00:26
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

Trixel
2008-09-23, 03:13
Here is the combofix log:

ComboFix 08-09-20.05 - METEORA 2008-09-22 17:00:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.593 [GMT -7:00]
Running from: C:\Documents and Settings\METEORA\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sgtrdhvv.ini
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\ulufmmac.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 17:06 . 2008-09-22 17:06 294 ---hs---- C:\WINDOWS\system32\ulufmmac.ini
2008-09-22 13:54 . 2008-09-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 23:16 . 2008-09-21 23:15 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\WINDOWS\system32\drivers\NAV
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Symantec
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\NortonInstaller
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-21 23:15 . 2008-09-21 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-21 23:15 . 2008-09-21 23:15 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-21 23:15 . 2008-09-21 23:15 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-21 23:15 . 2008-09-21 23:15 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-21 23:15 . 2008-09-21 23:15 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-21 22:42 . 2008-09-21 22:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-21 17:50 . 2008-09-21 17:50 136,832 --a------ C:\WINDOWS\system32\orjphq.dll
2008-09-21 17:50 . 2008-09-21 17:50 136,832 --a------ C:\WINDOWS\system32\ghnkehys.dll
2008-09-21 17:47 . 2008-09-21 17:47 36,352 --a------ C:\WINDOWS\system32\TDSSjjsm.dll
2008-09-21 17:45 . 2008-09-21 17:45 104,064 --a------ C:\WINDOWS\system32\cammfulu.dll
2008-09-21 03:46 . 2008-09-21 03:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-21 00:11 . 2008-09-21 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 17:48 . 2008-09-20 17:48 137,344 --a------ C:\WINDOWS\system32\pvjejrnl.dll
2008-09-20 17:48 . 2008-09-20 17:48 137,344 --a------ C:\WINDOWS\system32\hcuoxg.dll
2008-09-20 17:45 . 2008-09-20 17:45 103,552 --a------ C:\WINDOWS\system32\vvhdrtgs.dll
2008-09-20 17:00 . 2008-09-20 17:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-20 17:00 . 2008-09-20 17:00 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-20 02:06 . 2008-09-20 16:42 198 --a------ C:\WINDOWS\wininit.ini
2008-09-20 01:49 . 2008-09-21 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 01:38 . 2008-09-20 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-19 23:43 . 2008-09-19 23:43 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-09-19 23:25 . 2008-09-19 23:27 <DIR> d-------- C:\Program Files\Flash Menu Labs Std v2
2008-09-19 21:19 . 2008-09-19 22:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 21:09 . 2008-09-19 21:09 103,552 --a------ C:\WINDOWS\system32\xpaeveon.dll
2008-09-19 21:07 . 2008-09-19 21:07 137,344 --a------ C:\WINDOWS\system32\ysvfcx.dll
2008-09-19 21:07 . 2008-09-19 21:07 137,344 --a------ C:\WINDOWS\system32\scoabkih.dll
2008-09-19 21:06 . 2008-09-19 21:06 326,656 --a------ C:\WINDOWS\system32\mlJayWpQ.dll
2008-09-19 21:06 . 2008-09-22 17:00 16,970 --ahs---- C:\WINDOWS\system32\QpWyaJlm.ini2
2008-09-19 21:06 . 2008-09-22 17:00 16,970 --ahs---- C:\WINDOWS\system32\QpWyaJlm.ini
2008-09-19 20:20 . 2008-09-19 20:20 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\DivX
2008-09-19 19:31 . 2008-09-19 19:31 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-19 12:28 . 2008-09-19 12:28 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\Aleo Software
2008-09-19 12:26 . 2008-09-19 12:26 <DIR> d-------- C:\Program Files\Aleo Software
2008-09-10 00:38 . 2008-09-17 17:43 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\Move Networks
2008-09-04 21:31 . 2008-09-19 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-30 19:31 . 2008-09-01 00:06 <DIR> d-------- C:\Program Files\DivX
2008-08-30 12:29 . 2008-09-21 03:56 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-08-30 12:29 . 2008-08-30 12:29 <DIR> d-------- C:\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 02:07 --------- d-----w C:\Program Files\Intel
2008-09-22 00:42 --------- d-----w C:\Program Files\Apoint
2008-09-22 00:40 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-09-21 19:41 --------- d-----w C:\Program Files\Common Files\GTK
2008-09-20 07:55 --------- d-----w C:\Documents and Settings\METEORA\Application Data\uTorrent
2008-09-20 05:12 --------- d-----w C:\Program Files\CCleaner
2008-09-20 04:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-13 11:01 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2008-08-25 06:57 --------- d-----w C:\Program Files\Defrag
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-30 10:04 89 ----a-w C:\WINDOWS\system32\config\systemprofile\Del2132.bat
2008-03-30 10:04 89 ----a-w C:\Documents and Settings\METEORA\Del2132.bat
2008-03-30 10:04 89 ----a-w C:\Documents and Settings\Default User\Del2132.bat
2008-03-27 19:12 113,664 ----a-w C:\WINDOWS\inf\hdaudio.sys
2008-03-30 10:13 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008033020080331\index.dat
.

------- Sigcheck -------

2008-03-27 12:12 361344 a3c3d568108ad955870b288769f9c97d C:\WINDOWS\system32\drivers\tcpip.sys

2008-03-27 12:16 2185216 f6f1fff391da02bf54e76a58f7e44428 C:\WINDOWS\system32\ntkrnlpa.exe

2008-03-27 12:12 2306560 39a2bf6e9c17b4e5bc9f29f1fa24dfec C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43E794F4-9A4F-4728-B605-7BE42084648F}]
2008-09-19 21:06 326656 --a------ C:\WINDOWS\system32\mlJayWpQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b65b340-87ec-4d9b-935f-cc665e0a0944}]
2008-09-21 17:50 136832 --a------ C:\WINDOWS\system32\orjphq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-20 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Google Update"="C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-11-17 118784]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-04-05 118784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VAIOCameraUtility"="C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"44d3ddb4"="C:\WINDOWS\system32\cammfulu.dll" [2008-09-21 104064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-03-27 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 15:51 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=,orjphq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSjcxe.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=

R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-09-21 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-09-21 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-09-21 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20080918.001\IDSxpx86.sys [2008-09-21 274808]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2006-03-06 30080]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2007-01-24 808448]
S3 EraserUtilDrvI7;EraserUtilDrvI7;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\METEORA\Application Data\Mozilla\Firefox\Profiles\443e3c1t.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
.
------- File Associations -------
.
inffile=C:\WINDOWS\system32\Notepad2.exe %1
inifile=C:\WINDOWS\system32\Notepad2.exe %1
txtfile=C:\WINDOWS\system32\Notepad2.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 17:06:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\cammfulu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-09-22 17:08:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 00:08:44

Pre-Run: 80,842,260,480 bytes free
Post-Run: 80,836,763,648 bytes free

206


Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:38 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {43E794F4-9A4F-4728-B605-7BE42084648F} - C:\WINDOWS\system32\mlJayWpQ.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {4490a0e5-66cc-f539-b9d4-ce78043b56b8} - {8b65b340-87ec-4d9b-935f-cc665e0a0944} - C:\WINDOWS\system32\orjphq.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [44d3ddb4] rundll32.exe "C:\WINDOWS\system32\cammfulu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - AppInit_DLLs: ,orjphq.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 5697 bytes

pskelley
2008-09-23, 04:45
Thanks for returning your information, proceed carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\mlJayWpQ.dll
C:\WINDOWS\system32\orjphq.dll
C:\WINDOWS\system32\cammfulu.dll
C:\WINDOWS\system32\ulufmmac.ini
C:\WINDOWS\system32\ghnkehys.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\pvjejrnl.dll
C:\WINDOWS\system32\hcuoxg.dll
C:\WINDOWS\system32\vvhdrtgs.dll
C:\WINDOWS\system32\xpaeveon.dll
C:\WINDOWS\system32\ysvfcx.dll
C:\WINDOWS\system32\scoabkih.dll
C:\WINDOWS\system32\QpWyaJlm.ini2
C:\WINDOWS\system32\QpWyaJlm.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43E794F4-9A4F-4728-B605-7BE42084648F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b65b340-87ec-4d9b-935f-cc665e0a0944}]

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be missing)

O2 - BHO: (no name) - {43E794F4-9A4F-4728-B605-7BE42084648F} - C:\WINDOWS\system32\mlJayWpQ.dll
O2 - BHO: {4490a0e5-66cc-f539-b9d4-ce78043b56b8} - {8b65b340-87ec-4d9b-935f-cc665e0a0944} - C:\WINDOWS\system32\orjphq.dll
O4 - HKLM\..\Run: [44d3ddb4] rundll32.exe "C:\WINDOWS\system32\cammfulu.dll",b
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - AppInit_DLLs: ,orjphq.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks

Trixel
2008-09-23, 08:07
Here is the Combofix log:

ComboFix 08-09-20.05 - METEORA 2008-09-22 19:50:42.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.613 [GMT -7:00]
Running from: C:\Documents and Settings\METEORA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\METEORA\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cammfulu.dll
C:\WINDOWS\system32\ghnkehys.dll
C:\WINDOWS\system32\hcuoxg.dll
C:\WINDOWS\system32\mlJayWpQ.dll
C:\WINDOWS\system32\orjphq.dll
C:\WINDOWS\system32\pvjejrnl.dll
C:\WINDOWS\system32\QpWyaJlm.ini
C:\WINDOWS\system32\QpWyaJlm.ini2
C:\WINDOWS\system32\scoabkih.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\ulufmmac.ini
C:\WINDOWS\system32\vvhdrtgs.dll
C:\WINDOWS\system32\xpaeveon.dll
C:\WINDOWS\system32\ysvfcx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bvrbdloo.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\bvrbdloo.ini
C:\WINDOWS\system32\ghnkehys.dll
C:\WINDOWS\system32\hcuoxg.dll
C:\WINDOWS\system32\mlJayWpQ.dll
C:\WINDOWS\system32\orjphq.dll
C:\WINDOWS\system32\pvjejrnl.dll
C:\WINDOWS\system32\QpWyaJlm.ini
C:\WINDOWS\system32\QpWyaJlm.ini2
C:\WINDOWS\system32\scoabkih.dll
C:\WINDOWS\system32\TDSSjjsm.dll
C:\WINDOWS\system32\ulufmmac.ini
C:\WINDOWS\system32\vvhdrtgs.dll
C:\WINDOWS\system32\xpaeveon.dll
C:\WINDOWS\system32\ysvfcx.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 17:44 . 2008-09-22 17:44 136,832 --a------ C:\WINDOWS\system32\uofyswjg.dll
2008-09-22 17:44 . 2008-09-22 17:44 136,832 --a------ C:\WINDOWS\system32\jywzev.dll
2008-09-22 17:44 . 2008-09-22 17:44 103,552 --a------ C:\WINDOWS\system32\ooldbrvb.dll
2008-09-22 13:54 . 2008-09-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-21 23:16 . 2008-09-21 23:15 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\WINDOWS\system32\drivers\NAV
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Symantec
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\NortonInstaller
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-09-21 23:15 . 2008-09-21 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-21 23:15 . 2008-09-21 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-21 23:15 . 2008-09-21 23:15 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-21 23:15 . 2008-09-21 23:15 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-21 23:15 . 2008-09-21 23:15 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-21 23:15 . 2008-09-21 23:15 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-21 22:42 . 2008-09-21 22:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-20 17:00 . 2008-09-20 17:00 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-20 17:00 . 2008-09-20 17:00 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-20 02:06 . 2008-09-20 16:42 198 --a------ C:\WINDOWS\wininit.ini
2008-09-20 01:49 . 2008-09-21 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 23:43 . 2008-09-19 23:43 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-09-19 23:25 . 2008-09-19 23:27 <DIR> d-------- C:\Program Files\Flash Menu Labs Std v2
2008-09-19 21:19 . 2008-09-19 22:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 20:20 . 2008-09-19 20:20 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\DivX
2008-09-19 19:31 . 2008-09-19 19:31 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-19 12:28 . 2008-09-19 12:28 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\Aleo Software
2008-09-19 12:26 . 2008-09-19 12:26 <DIR> d-------- C:\Program Files\Aleo Software
2008-09-10 00:38 . 2008-09-17 17:43 <DIR> d-------- C:\Documents and Settings\METEORA\Application Data\Move Networks
2008-09-04 21:31 . 2008-09-19 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-30 19:31 . 2008-09-01 00:06 <DIR> d-------- C:\Program Files\DivX
2008-08-30 12:29 . 2008-09-21 03:56 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-08-30 12:29 . 2008-08-30 12:29 <DIR> d-------- C:\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 02:07 --------- d-----w C:\Program Files\Intel
2008-09-22 00:42 --------- d-----w C:\Program Files\Apoint
2008-09-22 00:40 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-09-21 19:41 --------- d-----w C:\Program Files\Common Files\GTK
2008-09-20 07:55 --------- d-----w C:\Documents and Settings\METEORA\Application Data\uTorrent
2008-09-20 05:12 --------- d-----w C:\Program Files\CCleaner
2008-09-20 04:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-13 11:01 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2008-08-25 06:57 --------- d-----w C:\Program Files\Defrag
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-30 10:04 89 ----a-w C:\WINDOWS\system32\config\systemprofile\Del2132.bat
2008-03-30 10:04 89 ----a-w C:\Documents and Settings\METEORA\Del2132.bat
2008-03-30 10:04 89 ----a-w C:\Documents and Settings\Default User\Del2132.bat
2008-03-27 19:12 113,664 ----a-w C:\WINDOWS\inf\hdaudio.sys
2008-03-30 10:13 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008033020080331\index.dat
.

------- Sigcheck -------

2008-03-27 12:12 361344 a3c3d568108ad955870b288769f9c97d C:\WINDOWS\system32\drivers\tcpip.sys

2008-03-27 12:16 2185216 f6f1fff391da02bf54e76a58f7e44428 C:\WINDOWS\system32\ntkrnlpa.exe

2008-03-27 12:12 2306560 39a2bf6e9c17b4e5bc9f29f1fa24dfec C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-22_17.08.21.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-23 02:49:52 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_284.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d46c2d0-f93e-427f-8456-735655c03fd1}]
2008-09-22 17:44 136832 --a------ C:\WINDOWS\system32\jywzev.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-20 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Google Update"="C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-11-17 118784]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-04-05 118784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 385024]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VAIOCameraUtility"="C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"44d3ddb4"="C:\WINDOWS\system32\ooldbrvb.dll" [2008-09-22 103552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-03-27 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 15:51 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSjcxe.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=

R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-09-21 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-09-21 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-09-21 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20080918.001\IDSxpx86.sys [2008-09-21 274808]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2006-03-06 30080]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2007-01-24 808448]
S3 EraserUtilDrvI7;EraserUtilDrvI7;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{49296BAA-644B-4082-92C7-1A7F7C793E54} - C:\WINDOWS\system32\mlJayWpQ.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 19:52:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
Completion time: 2008-09-22 19:53:28
ComboFix-quarantined-files.txt 2008-09-23 02:53:23
ComboFix2.txt 2008-09-23 00:08:49

Pre-Run: 81,252,597,760 bytes free
Post-Run: 81,241,669,632 bytes free

187

MABAM:

Malwarebytes' Anti-Malware 1.28
Database version: 1196
Windows 5.1.2600 Service Pack 3

9/22/2008 9:23:00 PM
mbam-log-2008-09-22 (21-23-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109843
Time elapsed: 22 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:10 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\METEORA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 5192 bytes

The computer is working just like before the infection. It logs into windows realy fast, no pop ups, everything seems normal... Thanks for your great help.

pskelley
2008-09-23, 13:32
Thanks for returning your information and the feedback. This junk has the ability to morph and recreate files, I see these in the combofix log and they appear to be new. Would you make sure you can view all files and fodlers:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Then navigate to those files and delete them. Then empty the Recycle Bin on the Desktop. Let me know if you have any problems, we can use CFScript if we need to.

C:\WINDOWS\system32\uofyswjg.dll
C:\WINDOWS\system32\jywzev.dll
C:\WINDOWS\system32\ooldbrvb.dll

As soon as that is accomplished, if all continues to run well, let me know and I will remove combofix and post closing information.

Thanks...Phil

Trixel
2008-09-23, 22:42
Thanks again. About the post above, I was not able to find those files. I even did a /sea *.dll and no cigar. The laptop *seems* to be working properly...

pskelley
2008-09-23, 22:59
Let's do one more good online scan, I am concerned you could not locate those file...they may be gone.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Trixel
2008-09-24, 01:54
Kaspersky's log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 23, 2008 20:05:36
Records in database: 1252025
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 65249
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:26:12


File name / Threat name / Threats count
C:\Program Files\Utilities\LS Patch\LSPatch_1.1.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 1

The selected area was scanned.

pskelley
2008-09-24, 02:16
Thanks for running KOS to be sure, here is information about that item:
http://forum.kaspersky.com/lofiversion/index.php/t36694.html

Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

To be sure, let's clean the System Restore files:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Trixel
2008-09-24, 02:59
Done and done. Thank you for your time and patience, there's no way I could've identified the files by myself. Everything seems to be working out like before. Thanks again, pskelley.

El. Val.