27 replies to this topic

[xoxachahim]

I have seen similar posts about trouble removing the last few registry entries, but couldn't use the same codes since my infected file was different. I have used the most recent update of MBAM, tried to manually change registry key permissions in safe mode, and used other anti-virus software.

Here are my logs

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 1

04/16/2009 2:27:12 PM
mbam-log-2009-04-16 (14-27-12).txt

Scan type: Quick Scan
Objects scanned: 71943
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e5abb44c-c68c-414e-91b3-3419ac559b22} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e5abb44c-c68c-414e-91b3-3419ac559b22} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mfc42r.dll (Trojan.Downloader) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:05 AM, on 4/17/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\bin\ssv.dll
O2 - BHO: (no name) - {E5ABB44C-C68C-414E-91B3-3419AC559B22} - C:\WINDOWS\System32\mfc42r.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft DirectX] Windows.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft DirectX] Windows.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\acrobat\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\bin\npjpi150_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TCP-IP Service (ipx) - Unknown owner - C:\WINDOWS\system32\dllcache\ipxserv.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICSer_BCM43XX - Unknown owner - C:\Program Files\Wireless\IEEE802.11g WLAN Card\NICServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 4082 bytes

THANKS

[miekiemoes]

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Also, is there any reason why your XP is not up to date either? You're missing 2 huge updates!

[xoxachahim]

Miekiemoes,

Thank you for your reply, I have done what you said and will post the requested logs below. I would politely caution you to be careful about assumptions though, because although I do not have anti-virus installed: I usually run Housecall on this machine, and additionally I network the computers and run virus software from a non-infected machine scanning the files on the infected computer.

I have stayed at XP Service Pack 1 because when I installed SP2 it caused so many problems, ran my processor at max, and generally was irritating. That was 6 or 7 years ago. I stopped having AV once all the programs starting requiring SP2 to run (even AVG free) and this is the first time i've had a virus since then, so it has all worked out decently well. I thank you for helping me find a free AV that didn't require SP2.

The Avira was able to get rid of the one dll file I couldn't get rid of, but the explorer browser registries still remain, even after reboot.

Thank you for continuing to look at this. Here are all new logs/ reports:


Avira AntiVir Personal
Report file date: Sunday, April 19, 2009 08:28

Scanning for 1356201 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 1) [5.1.2600]
Boot mode : Normally booted
Username : mistress pynke
Computer name : PYNKE

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 03/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 02/24/2009 17:13:28
AVSCAN.DLL : 9.0.3.0 40705 Bytes 02/27/2009 15:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 02/20/2009 16:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 02/27/2009 15:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 02/11/2009 01:33:28
ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 04/16/2009 12:31:44
ANTIVIR3.VDF : 7.1.3.73 25088 Bytes 04/18/2009 12:31:44
Engineversion : 8.2.0.148
AEVDF.DLL : 8.1.1.0 106868 Bytes 01/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.75 373113 Bytes 04/19/2009 12:32:02
AESCN.DLL : 8.1.1.10 127348 Bytes 04/19/2009 12:32:00
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:42
AEPACK.DLL : 8.1.3.14 397685 Bytes 04/19/2009 12:31:58
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 02/27/2009 01:01:58
AEHEUR.DLL : 8.1.0.119 1724791 Bytes 04/19/2009 12:31:58
AEHELP.DLL : 8.1.2.2 119158 Bytes 02/27/2009 01:01:58
AEGEN.DLL : 8.1.1.36 340341 Bytes 04/19/2009 12:31:52
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/09/2008 19:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 04/19/2009 12:31:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/09/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:48:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/05/2008 15:32:16
AVREP.DLL : 8.0.0.3 155905 Bytes 01/20/2009 19:34:30
AVREG.DLL : 9.0.0.0 36609 Bytes 12/05/2008 15:32:10
AVARKT.DLL : 9.0.0.1 292609 Bytes 02/09/2009 12:52:26
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 01/30/2009 15:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 01/28/2009 20:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 13:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/05/2008 15:32:12
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 02/09/2009 16:45:46
RCTEXT.DLL : 9.0.35.0 87297 Bytes 03/11/2009 20:55:14

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: Sunday, April 19, 2009 08:28

Starting search for hidden objects.
c:\windows\minidump\e.0
[INFO] The file is not visible.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] Error in ARK library
c:\windows\minidump\\.t
[INFO] The file is not visible.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] Error in ARK library
'35802' objects were checked, '2' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'FXSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'McciCMService.exe' - '1' Module(s) have been scanned
Scan process 'Crypserv.exe' - '1' Module(s) have been scanned
Scan process 'ATIEVXX.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'AcroTray.exe' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'ATIPTAXX.EXE' - '1' Module(s) have been scanned
Scan process 'LXSUPMON.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'D:\'


End of the scan: Sunday, April 19, 2009 09:09
Used time: 41:12 Minute(s)

The scan has been done completely.

4199 Scanned directories
206165 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
206163 Files not concerned
6648 Archives were scanned
4 Warnings
2 Notes
35802 Objects were scanned with rootkit scan
2 Hidden objects were found

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 1

04/19/2009 9:46:08 AM
mbam-log-2009-04-19 (09-45-57).txt

Scan type: Quick Scan
Objects scanned: 71261
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[xoxachahim]

Here's also the HT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:21 AM, on 04/19/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\bin\ssv.dll
O2 - BHO: (no name) - {E5ABB44C-C68C-414E-91B3-3419AC559B22} - C:\WINDOWS\System32\mfc42r.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Microsoft DirectX] Windows.exe
O4 - HKCU\..\Run: [Microsoft DirectX] Windows.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft DirectX] Windows.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\acrobat\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TCP-IP Service (ipx) - Unknown owner - C:\WINDOWS\system32\dllcache\ipxserv.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICSer_BCM43XX - Unknown owner - C:\Program Files\Wireless\IEEE802.11g WLAN Card\NICServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5030 bytes

[miekiemoes]

Hi,

Quote

because although I do not have anti-virus installed: I usually run Housecall on this machine, and additionally I network the computers and run virus software from a non-infected machine scanning the files on the infected computer.

I have stayed at XP Service Pack 1 because when I installed SP2 it caused so many problems, ran my processor at max, and generally was irritating. That was 6 or 7 years ago. I stopped having AV once all the programs starting requiring SP2 to run (even AVG free) and this is the first time i've had a virus since then, so it has all worked out decently well. I thank you for helping me find a free AV that didn't require SP2.

Things have changed A LOT! You really have to update as well though unless you don't find it a problem that because of the unpatched Windows you can get infected immediately.
Anyway, one thing is for sure here, as long as you don't update, if we get rid of the malware, you'll get infected again anyway because of the Security vulnerabilities. That's why I'm wondering if it's really worth it to clean this if you're not planning to update anyway, or to keep this antivirus. So please let me know what you decide.

[xoxachahim]

Well, I'll be glad to give the SP's another shot, and I am happy to have an AV that works.

Thanks.
Lynne

miekiemoes, on Apr 19 2009, 02:34 PM, said:

Hi,

Things have changed A LOT! You really have to update as well though unless you don't find it a problem that because of the unpatched Windows you can get infected immediately.
Anyway, one thing is for sure here, as long as you don't update, if we get rid of the malware, you'll get infected again anyway because of the Security vulnerabilities. That's why I'm wondering if it's really worth it to clean this if you're not planning to update anyway, or to keep this antivirus. So please let me know what you decide.

[miekiemoes]

Ok, good

Let's deal with the rest now...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[xoxachahim]

Okay, sorry that took so long. The infected computer is not my primary computer and I wasn't near it to run the program. But I did today and here is the combofix log:

THANKS

ComboFix 09-04-29.01 - mistress pynke 04/29/2009 17:09.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.111 [GMT -5:00]
Running from: c:\documents and settings\mistress pynke\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\program files\Common Files\SLMSS
c:\windows\GnuHashes.ini
c:\windows\system32\dllcache\download
c:\windows\system32\GroupPolicy000.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-19 14:31 . 2009-04-19 14:31 -------- d-sh--w C:\FOUND.002
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\program files\Avira
2009-04-17 16:54 . 2009-04-17 16:54 -------- d-----w c:\program files\Trend Micro
2009-04-17 16:53 . 2009-04-17 16:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-16 20:26 . 2009-04-16 20:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\mistress pynke\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:59 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\program files\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 18:42 . 2009-04-01 18:42 0 ----a-w c:\windows\system32\75.tmp
2009-04-01 17:55 . 2009-04-01 17:54 0 ----a-w c:\windows\system32\60.tmp
2009-04-01 17:48 . 2009-04-01 17:48 0 ----a-w c:\windows\system32\56.tmp
2009-03-29 13:22 . 2009-03-29 13:22 0 ----a-w c:\windows\system32\2D.tmp
2009-03-29 13:22 . 2009-03-29 13:22 0 ----a-w c:\windows\system32\2C.tmp
2009-03-24 14:39 . 2009-03-24 14:39 -------- d-----w c:\program files\EPSON
2009-03-22 17:13 . 2009-03-22 17:13 -------- d-----w c:\program files\GoToMeeting
2009-03-17 17:00 . 2009-03-17 17:00 -------- d-----w c:\program files\ClearMeeting Launcher
2009-03-17 16:18 . 2009-03-17 16:18 -------- d-----r c:\program files\Skype
2006-02-05 20:25 . 2006-02-05 20:25 485 ----a-w c:\program files\HijackThis.exe.lnk
2006-01-26 15:39 . 2004-06-10 04:42 8192 --sha-w c:\program files\Thumbs.db
1997-11-04 17:32 . 2002-06-07 21:44 766 ----a-w c:\program files\PL_E.ICO
2008-09-27 06:01 . 2005-10-21 15:54 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-27 06:01 . 2005-10-21 15:54 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-27 06:01 . 2007-02-22 22:26 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-09-27 06:01 . 2007-02-22 22:26 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-09-27 06:01 . 2005-10-21 15:54 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2003-12-23 11:33 2041984 42BA1A1D33271711976514B227AD371F c:\windows\system32\NTOSKRNL.EXE
[7] 2003-04-24 16:57 1925760 97EC4AB4650DA6FC521CF16F8A6DDCB0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2002-08-29 10:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-03-08 900096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-07-05 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-2 49254]
Adobe Reader Speed Launch.lnk - d:\acrobat\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Resources\Themes\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R2 ipx;TCP-IP Service; [x]
R2 mrtRate;mrtRate; [x]
R2 NICSer_BCM43XX;NICSer_BCM43XX;c:\program files\Wireless\IEEE802.11g WLAN Card\NICServ.exe [2003-07-29 458240]
R3 ati2mpab;ati2mpab;c:\windows\system32\DRIVERS\ati2mpab.sys [2001-08-14 298752]
R3 DVC;USB DVC Svc;c:\windows\system32\Drivers\DVC.sys [2003-04-01 38604]
R3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\DRIVERS\LEXAR2K.SYS [2001-10-19 16969]
R3 mamovec;mamovec;c:\windows\system32\Drivers\mamovec.sys [2005-06-16 24784]
R3 mamovem;mamovem;c:\windows\system32\Drivers\mamovem.sys [2005-06-16 25044]
R3 mamoveu;mamoveu;c:\windows\system32\DRIVERS\mamoveu.sys [2006-10-19 51584]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-21 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-21 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
R4 svchostIO;svchostIO; [x]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2009-02-13 22360]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\System32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 va16w2;va16w2;c:\windows\System32\DRIVERS\va16w2.sys [2000-10-21 18665]
S0 va32w2;va32w2;c:\windows\System32\DRIVERS\va32w2.sys [2001-06-21 25689]
S0 zhcjxcyc;zhcjxcyc;c:\windows\system32\drivers\zhcjxcyc.sys [2001-08-18 23424]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2009-02-13 45416]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S3 VIAMODEM;VIAMODEM;c:\windows\system32\DRIVERS\VIAMODEM.sys [2001-08-09 66385]

.
Contents of the 'Scheduled Tasks' folder

2002-05-01 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-22 11:41]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E5ABB44C-C68C-414E-91B3-3419AC559B22} - c:\windows\System32\mfc42r.dll
HKCU-Run-Microsoft DirectX - Windows.exe
HKU-Default-Run-Microsoft Update - wserv32.exe
HKU-Default-Run-Microsoft DirectX - Windows.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mistress pynke\Application Data\Mozilla\Firefox\Profiles\default.2od\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 17:16
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3632)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\windows\SYSTEM32\CRYPSERV.EXE
c:\program files\COMMON FILES\MOTIVE\MCCICMSERVICE.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\windows\SYSTEM32\FXSSVC.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-29 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 22:20

Pre-Run: 377,839,616 bytes free
Post-Run: 357,142,528 bytes free

171

[miekiemoes]

Hi,

I see you were dealing with some nasty backdoors in the past as well.
Your NTOSKRNL.EXE is patched here as well, but that's most probably because of your StyleXP you have installed here, where you have a modified bootscreen.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\zhcjxcyc.sys
c:\windows\system32\75.tmp
c:\windows\system32\60.tmp
c:\windows\system32\56.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\2C.tmp
Driver::
zhcjxcyc
svchostIO

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

BTW.. Ever considered to change to NTFS? Because this is FAT32 here. NTFS is better-more stable.
See here how to do this. http://www.aumha.org...5/a/ntfscvt.php
Don't do this now, that's for afterwards if you want to convert.

[xoxachahim]

Also just want to note that I ran MB after a reboot, and still get those four undeletable browser objects: bf, bk, iu, mu

[miekiemoes]

Yes, I know you still get these
Next time when you run mbam, they will show once more, but when you'll remove then they won't return anymore.

[xoxachahim]

ComboFix 09-04-29.01 - mistress pynke 04/29/2009 18:44.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.87 [GMT -5:00]
Running from: c:\documents and settings\mistress pynke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mistress pynke\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\2C.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\56.tmp
c:\windows\system32\60.tmp
c:\windows\system32\75.tmp
c:\windows\system32\drivers\zhcjxcyc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\2C.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\56.tmp
c:\windows\system32\60.tmp
c:\windows\system32\75.tmp
c:\windows\system32\drivers\zhcjxcyc.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOSTIO
-------\Legacy_ZHCJXCYC
-------\Service_svchostIO
-------\Service_zhcjxcyc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-19 14:31 . 2009-04-19 14:31 -------- d-sh--w C:\FOUND.002
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\program files\Avira
2009-04-17 16:54 . 2009-04-17 16:54 -------- d-----w c:\program files\Trend Micro
2009-04-17 16:53 . 2009-04-17 16:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-16 20:26 . 2009-04-16 20:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\mistress pynke\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:59 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\program files\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 23:44 . 2001-09-08 14:56 23424 ----a-w c:\windows\system32\drivers\grrpdufj.sys
2009-03-24 14:39 . 2009-03-24 14:39 -------- d-----w c:\program files\EPSON
2009-03-22 17:13 . 2009-03-22 17:13 -------- d-----w c:\program files\GoToMeeting
2009-03-17 17:00 . 2009-03-17 17:00 -------- d-----w c:\program files\ClearMeeting Launcher
2009-03-17 16:18 . 2009-03-17 16:18 -------- d-----r c:\program files\Skype
2006-02-05 20:25 . 2006-02-05 20:25 485 ----a-w c:\program files\HijackThis.exe.lnk
2006-01-26 15:39 . 2004-06-10 04:42 8192 --sha-w c:\program files\Thumbs.db
1997-11-04 17:32 . 2002-06-07 21:44 766 ----a-w c:\program files\PL_E.ICO
2008-09-27 06:01 . 2005-10-21 15:54 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-27 06:01 . 2005-10-21 15:54 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-27 06:01 . 2007-02-22 22:26 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-09-27 06:01 . 2007-02-22 22:26 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-09-27 06:01 . 2005-10-21 15:54 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2003-12-23 11:33 2041984 42BA1A1D33271711976514B227AD371F c:\windows\system32\NTOSKRNL.EXE
[7] 2003-04-24 16:57 1925760 97EC4AB4650DA6FC521CF16F8A6DDCB0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2002-08-29 10:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-29_22.17.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 12:22 . 2009-04-29 22:24 96104 c:\windows\system32\drivers\avipbb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5ABB44C-C68C-414E-91B3-3419AC559B22}]
c:\windows\System32\mfc42r.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-03-08 900096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-07-05 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-2 49254]
Adobe Reader Speed Launch.lnk - d:\acrobat\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Resources\Themes\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R2 ipx;TCP-IP Service; [x]
R2 mrtRate;mrtRate; [x]
R2 NICSer_BCM43XX;NICSer_BCM43XX;c:\program files\Wireless\IEEE802.11g WLAN Card\NICServ.exe [2003-07-29 458240]
R3 ati2mpab;ati2mpab;c:\windows\system32\DRIVERS\ati2mpab.sys [2001-08-14 298752]
R3 DVC;USB DVC Svc;c:\windows\system32\Drivers\DVC.sys [2003-04-01 38604]
R3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\DRIVERS\LEXAR2K.SYS [2001-10-19 16969]
R3 mamovec;mamovec;c:\windows\system32\Drivers\mamovec.sys [2005-06-16 24784]
R3 mamovem;mamovem;c:\windows\system32\Drivers\mamovem.sys [2005-06-16 25044]
R3 mamoveu;mamoveu;c:\windows\system32\DRIVERS\mamoveu.sys [2006-10-19 51584]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-21 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-21 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2009-02-13 22360]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\System32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 va16w2;va16w2;c:\windows\System32\DRIVERS\va16w2.sys [2000-10-21 18665]
S0 va32w2;va32w2;c:\windows\System32\DRIVERS\va32w2.sys [2001-06-21 25689]
S0 zhcjxcyc;zhcjxcyc;c:\windows\system32\drivers\zhcjxcyc.sys [2001-08-18 23424]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2009-02-13 45416]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S3 VIAMODEM;VIAMODEM;c:\windows\system32\DRIVERS\VIAMODEM.sys [2001-08-09 66385]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ZHCJXCYC
.
Contents of the 'Scheduled Tasks' folder

2002-05-01 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-22 11:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mistress pynke\Application Data\Mozilla\Firefox\Profiles\default.2od\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 18:52
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(1032)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\windows\SYSTEM32\CRYPSERV.EXE
c:\program files\COMMON FILES\MOTIVE\MCCICMSERVICE.EXE
c:\windows\System32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-29 18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 23:56
ComboFix2.txt 2009-04-29 22:20

Pre-Run: 288,247,808 bytes free
Post-Run: 284,286,976 bytes free

184

[miekiemoes]

Hi,

We'll have to give it another try, because since you're on FAT32, it may act like that.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\zhcjxcyc.sys
c:\windows\System32\mfc42r.dll
c:\windows\system32\drivers\grrpdufj.sys
Driver::
ZHCJXCYC
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5ABB44C-C68C-414E-91B3-3419AC559B22}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[xoxachahim]

Thanks for being patient. Here's the log.

ComboFix 09-05-03.6 - mistress pynke 05/04/2009 16:35.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.141 [GMT -5:00]
Running from: c:\documents and settings\mistress pynke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mistress pynke\Desktop\cfscript.txt

FILE ::
c:\windows\system32\drivers\grrpdufj.sys
c:\windows\system32\drivers\zhcjxcyc.sys
c:\windows\System32\mfc42r.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\grrpdufj.sys . . . . failed to delete
c:\windows\system32\drivers\zhcjxcyc.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZHCJXCYC
-------\Service_zhcjxcyc


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-19 14:31 . 2009-04-19 14:31 -------- d-sh--w C:\FOUND.002
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\program files\Avira
2009-04-17 16:54 . 2009-04-17 16:54 -------- d-----w c:\program files\Trend Micro
2009-04-17 16:53 . 2009-04-17 16:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-16 20:26 . 2009-04-16 20:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\mistress pynke\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:59 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\program files\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 23:44 . 2001-09-08 14:56 23424 ----a-w c:\windows\system32\drivers\grrpdufj.sys
2009-03-24 14:39 . 2009-03-24 14:39 -------- d-----w c:\program files\EPSON
2009-03-22 17:13 . 2009-03-22 17:13 -------- d-----w c:\program files\GoToMeeting
2009-03-17 17:00 . 2009-03-17 17:00 -------- d-----w c:\program files\ClearMeeting Launcher
2009-03-17 16:18 . 2009-03-17 16:18 -------- d-----r c:\program files\Skype
2006-02-05 20:25 . 2006-02-05 20:25 485 ----a-w c:\program files\HijackThis.exe.lnk
2006-01-26 15:39 . 2004-06-10 04:42 8192 --sha-w c:\program files\Thumbs.db
1997-11-04 17:32 . 2002-06-07 21:44 766 ----a-w c:\program files\PL_E.ICO
2008-09-27 06:01 . 2005-10-21 15:54 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-27 06:01 . 2005-10-21 15:54 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-27 06:01 . 2007-02-22 22:26 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-09-27 06:01 . 2007-02-22 22:26 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-09-27 06:01 . 2005-10-21 15:54 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2003-12-23 11:33 2041984 42BA1A1D33271711976514B227AD371F c:\windows\system32\NTOSKRNL.EXE
[7] 2003-04-24 16:57 1925760 97EC4AB4650DA6FC521CF16F8A6DDCB0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2002-08-29 10:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-29_22.17.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 12:22 . 2009-04-29 22:24 96104 c:\windows\system32\drivers\avipbb.sys
+ 2002-05-01 13:09 . 2009-05-04 21:35 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2002-05-01 13:09 . 2009-04-29 22:08 262144 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5ABB44C-C68C-414E-91B3-3419AC559B22}]
c:\windows\System32\mfc42r.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-03-08 900096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-07-05 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-2 49254]
Adobe Reader Speed Launch.lnk - d:\acrobat\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Resources\Themes\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R2 ipx;TCP-IP Service; [x]
R2 mrtRate;mrtRate; [x]
R2 NICSer_BCM43XX;NICSer_BCM43XX;c:\program files\Wireless\IEEE802.11g WLAN Card\NICServ.exe [2003-07-29 458240]
R3 ati2mpab;ati2mpab;c:\windows\system32\DRIVERS\ati2mpab.sys [2001-08-14 298752]
R3 DVC;USB DVC Svc;c:\windows\system32\Drivers\DVC.sys [2003-04-01 38604]
R3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\DRIVERS\LEXAR2K.SYS [2001-10-19 16969]
R3 mamovec;mamovec;c:\windows\system32\Drivers\mamovec.sys [2005-06-16 24784]
R3 mamovem;mamovem;c:\windows\system32\Drivers\mamovem.sys [2005-06-16 25044]
R3 mamoveu;mamoveu;c:\windows\system32\DRIVERS\mamoveu.sys [2006-10-19 51584]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-21 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-21 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2009-02-13 22360]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\System32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 va16w2;va16w2;c:\windows\System32\DRIVERS\va16w2.sys [2000-10-21 18665]
S0 va32w2;va32w2;c:\windows\System32\DRIVERS\va32w2.sys [2001-06-21 25689]
S0 zhcjxcyc;zhcjxcyc;c:\windows\system32\drivers\zhcjxcyc.sys [2001-08-18 23424]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2009-02-13 45416]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S3 VIAMODEM;VIAMODEM;c:\windows\system32\DRIVERS\VIAMODEM.sys [2001-08-09 66385]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ZHCJXCYC
.
Contents of the 'Scheduled Tasks' folder

2002-05-01 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-22 11:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mistress pynke\Application Data\Mozilla\Firefox\Profiles\default.2od\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 16:42
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3648)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\windows\SYSTEM32\CRYPSERV.EXE
c:\program files\COMMON FILES\MOTIVE\MCCICMSERVICE.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\windows\SYSTEM32\FXSSVC.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-04 16:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 21:46
ComboFix2.txt 2009-04-29 23:56
ComboFix3.txt 2009-04-29 22:20

Pre-Run: 186,187,776 bytes free
Post-Run: 223,854,592 bytes free

177

[miekiemoes]

Hi,

Too bad you waited a few days - because it's difficult to clean up malware if it changes everytime, so logs don't make sense anymore..

Anyway, mbam has been updated to deal with above ones, so

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[xoxachahim]

Okay, I updated MBAM and ran a full scan, it identified 7 infections (3 new ones) hit "remove selected", it said the registry entries could not be deleted, needed to do at reboot. Let MBAM reboot, then ran scan again. All infections still there. Here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2075
Windows 5.1.2600 Service Pack 1

05/04/2009 8:23:21 PM
mbam-log-2009-05-04 (20-23-15).txt

Scan type: Quick Scan
Objects scanned: 79298
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zhcjxcyc (Rootkit.Sentinel) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\zhcjxcyc.sys (Rootkit.Sentinel) -> No action taken.
C:\WINDOWS\system32\drivers\grrpdufj.sys (Rootkit.Sentinel) -> No action taken.

Thanks! Sorry this is such a hassle! But I am back where I keep this computer, so should be able to be more consistent with it.

Lynne

[miekiemoes]

Hi,

I guess it's because of your FAT32. I see this all the time on FAT32 machines.
Tools just can't deal with these.


I assume you already have the Recovery Console installed? Please print this out; because you don't have access here in the Recovery Console.
I also suggest you create a backup first of the files you don't want to lose. This because deleting something via the recovery console is really powerful and you cannot afford to make mistakes.

Then,

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded commands, and press Enter after each command:

disable zhcjxcyc

disable grrpdufj

del c:\windows\system32\drivers\grrpdufj.sys

del c:\windows\system32\drivers\zhcjxcyc.sys

del c:\windows\System32\mfc42r.dll

exit

Windows will now begin loading.
Don't worry if you get an error for some files that they don't exist.

Then rerun Combofix and post the new log in your next reply.

[xoxachahim]

Okay, It appears you've guided me to a clean system (BIG THANKS!!!!), but still some things show up on the CF log. I did the deletions via recovery console, though when i tried to disable the grrpdufj, it said there was no registry key associated with that. also when i tried to delete mfc42r.dll, it said there was no such file.

Anyways, after that I ran combofix and let it restart. Then I Ran MBAM - it found one more registry key associated with zhcjxcyc.sys, but it was able to successfully delete that without restart. I restarted, ran it again, and then it found no infections.

one thing, tho, is that when I open Firefox, it says it is not the default browser, as if it keeps getting reset to IE. Was that caused by whatever work we were doing on the system?

Here's the latest CF log, after doing the MBAM cleanout. (Note the [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5ABB44C-C68C-414E-91B3-3419AC559B22}]
c:\windows\System32\mfc42r.dll [BU])

ComboFix 09-05-04.A3 - mistress pynke 05/05/2009 10:29.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.76 [GMT -5:00]
Running from: c:\documents and settings\mistress pynke\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-19 12:22 . 2009-04-19 12:22 -------- d-----w c:\program files\Avira
2009-04-17 16:53 . 2009-04-17 16:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-16 20:26 . 2009-04-16 20:26 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\mistress pynke\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 18:59 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 18:59 . 2009-04-16 18:59 -------- d-----w c:\program files\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 14:39 . 2009-03-24 14:39 -------- d-----w c:\program files\EPSON
2009-03-22 17:13 . 2009-03-22 17:13 -------- d-----w c:\program files\GoToMeeting
2009-03-17 17:00 . 2009-03-17 17:00 -------- d-----w c:\program files\ClearMeeting Launcher
2009-03-17 16:18 . 2009-03-17 16:18 -------- d-----r c:\program files\Skype
2006-02-05 20:25 . 2006-02-05 20:25 485 ----a-w c:\program files\HijackThis.exe.lnk
2006-01-26 15:39 . 2004-06-10 04:42 8192 --sha-w c:\program files\Thumbs.db
1997-11-04 17:32 . 2002-06-07 21:44 766 ----a-w c:\program files\PL_E.ICO
2008-09-27 06:01 . 2005-10-21 15:54 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-09-27 06:01 . 2005-10-21 15:54 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-09-27 06:01 . 2007-02-22 22:26 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-09-27 06:01 . 2007-02-22 22:26 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-09-27 06:01 . 2005-10-21 15:54 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2003-12-23 11:33 2041984 42BA1A1D33271711976514B227AD371F c:\windows\system32\NTOSKRNL.EXE
[7] 2003-04-24 16:57 1925760 97EC4AB4650DA6FC521CF16F8A6DDCB0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2002-08-29 10:03 2042240 B9080D97DBD631AADF9128F7316958D2 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-29_22.17.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 12:22 . 2009-04-29 22:24 96104 c:\windows\system32\drivers\avipbb.sys
+ 2002-05-01 13:09 . 2009-05-05 15:28 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2002-05-01 13:09 . 2009-04-29 22:08 262144 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5ABB44C-C68C-414E-91B3-3419AC559B22}]
c:\windows\System32\mfc42r.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"="/C" [X]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-07-05 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-6-2 49254]
Adobe Reader Speed Launch.lnk - d:\acrobat\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Resources\Themes\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"AOL ACS"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [04/19/2009 7:22 AM 22360]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [01/29/2005 4:30 PM 17792]
R0 va16w2;va16w2;c:\windows\system32\drivers\va16w2.sys [09/08/2001 9:57 AM 18665]
R0 va32w2;va32w2;c:\windows\system32\drivers\va32w2.sys [09/08/2001 8:52 PM 25689]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [04/19/2009 7:22 AM 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/19/2009 7:22 AM 108289]
R3 VIAMODEM;VIAMODEM;c:\windows\system32\drivers\VIAMODEM.sys [02/27/2007 7:26 PM 66385]
S2 ipx;TCP-IP Service;c:\windows\system32\dllcache\ipxserv.exe --> c:\windows\system32\dllcache\ipxserv.exe [?]
S2 mrtRate;mrtRate; [x]
S2 NICSer_BCM43XX;NICSer_BCM43XX;c:\program files\Wireless\IEEE802.11g WLAN Card\NICServ.exe [07/15/2006 12:41 PM 458240]
S3 ati2mpab;ati2mpab;c:\windows\system32\drivers\ati2mpab.sys [12/15/2007 5:42 PM 298752]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [07/06/2004 6:26 PM 38604]
S3 JumpShot;Lexar Media USB Compact Flash Driver;c:\windows\system32\drivers\LEXAR2K.SYS [10/19/2001 2:57 PM 16969]
S3 mamovec;mamovec;c:\windows\system32\drivers\mamovec.sys [12/08/2008 9:39 PM 24784]
S3 mamovem;mamovem;c:\windows\system32\drivers\mamovem.sys [12/08/2008 9:39 PM 25044]
S3 mamoveu;mamoveu;c:\windows\system32\drivers\mamoveu.sys [12/08/2008 9:39 PM 51584]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/08/2008 9:16 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/08/2008 9:16 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/08/2008 9:16 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2002-05-01 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-22 11:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mistress pynke\Application Data\Mozilla\Firefox\Profiles\default.2od\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 10:31
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2736)
c:\windows\System32\msi.dll
.
Completion time: 2009-05-05 10:33
ComboFix-quarantined-files.txt 2009-05-05 15:33
ComboFix2.txt 2009-05-05 12:37
ComboFix3.txt 2009-05-04 21:46
ComboFix4.txt 2009-04-29 23:56
ComboFix5.txt 2009-05-05 15:27

Pre-Run: 1,177,964,544 bytes free
Post-Run: 1,161,342,976 bytes free

145

[miekiemoes]

Hi,

Quote

when i tried to disable the grrpdufj, it said there was no registry key associated with that. also when i tried to delete mfc42r.dll, it said there was no such file.

Yes, that's why I also said in my previous post that you could get some errors about that - this in case if files were not present anymore, but better safe then sorry and add them for deletion anyway.

We're almost finished here..

Check and fix the following entry in HijackThis:

O2 - BHO: (no name) - {E5ABB44C-C68C-414E-91B3-3419AC559B22} - C:\WINDOWS\System32\mfc42r.dll

It should say: (File missing) next to it.

Then, go to start > run and copy and paste next command in the field:

sc delete ipx

Hit enter

Quote

one thing, tho, is that when I open Firefox, it says it is not the default browser, as if it keeps getting reset to IE. Was that caused by whatever work we were doing on the system?

Yes, that's because of Combofix restoring the default settings for IE again, so it also sets IE back to the default browser again.
Just set it back to Firefox

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[xoxachahim]

Okay did all that - it all seems fine. Great..

New thing though, is that now I am getting "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience" error which is making the internet not work. When I click "show available networks" everything is greyed out except for cancel. When I connect via ethernet, it shows connection to the network, but I can't actually access any pages.

Your help is greatly appreciated.