20 replies to this topic

[Alana]

Hello -

I can't get rid of Trojan Vundo H no matter how many times I run malwarebytes and reboot. I'm not sure what to do at this point. My logs are listed below.

Thank-you for taking a look!

Alana

Malwarebytes' Anti-Malware 1.36
Database version: 2019
Windows 5.1.2600 Service Pack 3

4/22/2009 11:33:02 AM
mbam-log-2009-04-22 (11-33-02).txt

Scan type: Quick Scan
Objects scanned: 84002
Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uaclfwtu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ugfonut.dll (Trojan.Vundo.H) -> Delete on reboot.

END OF MALWAREBYTES LOG

START OF HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:25 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B129F4D-B0C3-4B14-B29F-921CCF9D8B25} - c:\windows\system32\lokvbdj.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240109255031
O20 - Winlogon Notify: uaclfwtu - C:\WINDOWS\SYSTEM32\lokvbdj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6035 bytes

[negster22]

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK\:, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as rainbow.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix (rainbow.exe) on your desktop & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt, if you renamed combofix the TXT file may also be renamed, in the same way (let me know).
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt and a new HJT log in your next reply.

[Alana]

I would like to thank negster22 for the detailed response to my query - I greatly appreciate it! However, the instructions you gave involve downloading several different programs, running them, and rebooting all with my anti-virus software and firewall disabled. Although I am reasonably computer savvy, I am far from an expert, or I would not be consulting this forum. The steps you have suggested are, frankly, a bit scary. I am not even sure what Trojan Vundo H actually does, and what is the risk to my machine of having it vs. trying every possible method of removing it?

I am including here the new logs I have from the updated version of malwarebytes - I have tried rebooting in safe mode and running malwarebytes in that situation to no avail.

New Logs:

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3

4/22/2009 5:13:12 PM
mbam-log-2009-04-22 (17-13-12).txt

Scan type: Quick Scan
Objects scanned: 83274
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uaclfwtu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ugfonut.dll (Trojan.Vundo.H) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:48 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B129F4D-B0C3-4B14-B29F-921CCF9D8B25} - c:\windows\system32\lokvbdj.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240109255031
O20 - Winlogon Notify: uaclfwtu - C:\WINDOWS\SYSTEM32\lokvbdj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6036 bytes

Thank-you once again for your help with this matter,

Alana

Alana, on Apr 22 2009, 12:15 PM, said:

Hello -

I can't get rid of Trojan Vundo H no matter how many times I run malwarebytes and reboot. I'm not sure what to do at this point. My logs are listed below.

Thank-you for taking a look!

Alana

Malwarebytes' Anti-Malware 1.36
Database version: 2019
Windows 5.1.2600 Service Pack 3

4/22/2009 11:33:02 AM
mbam-log-2009-04-22 (11-33-02).txt

Scan type: Quick Scan
Objects scanned: 84002
Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uaclfwtu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pknasbjt (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\lokvbdj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ugfonut.dll (Trojan.Vundo.H) -> Delete on reboot.

END OF MALWAREBYTES LOG

START OF HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:25 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B129F4D-B0C3-4B14-B29F-921CCF9D8B25} - c:\windows\system32\lokvbdj.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240109255031
O20 - Winlogon Notify: uaclfwtu - C:\WINDOWS\SYSTEM32\lokvbdj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6035 bytes

[negster22]

I understand your concern about disabling your antivirus software, but I only want you to do that during the Combofix run.

Combofix severs your internet access during the scan so you are safe from online intruders during its execution.

Immediately following the Combofix run, you can restore all your security components that were disabled.

I hope that relieves your fears somewhat. The reason we need to run Combofix, is that we have to manually remove some items that are hidden but Combofix can see them. This method has been fail safe on thousands of machines thus far in completely removing Vundo.H infections. Think of it this way, if your AV let the threat in, then why do you think it is so essential to have on when troubleshooting the infection during a time when there is no internet connection? It certainly has done nothing to mitigate the threat.

Please follow my instructions to run Combofix or we'll be at an impasse.

[Alana]

OK, negster22, you talked me into it, so I went through all of the steps, hopefully correctly, and my screensaver did not turn into a huge monster face with smoke billowing out of its nostrils! (at least not yet anyway!)

Attached are all of my logs. My Hijack This log apparently wouldn't upload so I am pasting it in below.

According to ComboFix, it looks to me like an infected .dll file still failed to delete. I have rerun malwarebytes, and unfortunately I still have Trojan Vundo H which is proving to be quite tenacious.

Any recommendations at this point?

Thank-you,

Alana

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:13 AM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B129F4D-B0C3-4B14-B29F-921CCF9D8B25} - c:\windows\system32\lokvbdj.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240109255031
O20 - Winlogon Notify: uaclfwtu - C:\WINDOWS\SYSTEM32\lokvbdj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6037 bytes

Attached Files

•  ARK.txt   4.67K   19 downloads
•  ComboFix.txt   17.13K   16 downloads
•  mbam_log_2009_04_23__10_37_36_.txt   1.21K   25 downloads

[negster22]

Hi Alana,

Good job!

Please relaunch the antirootkit program I had you run before, by double-clicking the EXE located within the C:\ARK folder.
After the quick scan finishes in a few seconds, click the ">>>" Tab and this will reveal another set of tabs
Click the Registry tab
Now we are going to expand the Registry tree by clicking the + signs next to the keys I indicate, as follows:

• Click the "+" sign next to HKEY_LOCAL_MACHINE
  
• Click the "+" sign next to System
  
• Click the "+" sign next to CurrentControlSet
  
• Click the "+" sign next to Services

Now a list of services will be displayed and arranged in numerical, then alphabetical order.
In the list of services, locate the following service:
eqrrrcaf
Left-click this service, and you will see several fields of information displayed in the right-pane such as: Image Path, Start, Type, etc
Next click the Export button, and you will be prompted for a filename and location to save this information to
Save it as filename:eqrrrcaf.txt
Save it to your Documents folder
Exit the antirootkit program

Now, open your documents program and make sure the eqrrrcaf.txt was saved and either attach or copy/paste that file in your next reply.

--------------------
We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Driver::
eqrrrcaf

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}]

Rootkit::
c:\windows\system32\lokvbdj.dll
c:\windows\system32\drivers\eqrrrcaf.sys

File::
c:\windows\SYSTEM32\ugfonut.dll

DirLook::
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij
c:\documents and settings\Julia\Application Data\fyvzeeij

Next disable your antimalware and security program's active protection until Combofix is finished running.



Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (waterfall.exe)

This will cause ComboFix to run again.

After Combofix has finished, please re-enable your active protection.

Please post back the log that is opens when it finishes called C:\Combofix.txt and also attach eqrrrcaf.txt.

[Alana]

Hi negster22 - I went through all of the steps again - hopefully I didn't mess up - and I've attached my logs.

Thank-you for taking a look!

Alana

Attached Files

•  Combofix2.txt   20.08K   14 downloads
•  eqrrrcaf.txt   2.82K   16 downloads

[negster22]

No you did fine, but I'm surprised to see an Avenger log was created. Did you download and run Avenger on your own because that is not a good idea. If you did - what script did you use?

Please delete the CFScript on your desktop.

Create a new CFScript:
Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}]

Driver::
wvkmpnyv
eqrrrcaf
pknasbjt

Rootkit::
c:\windows\system32\drivers\eqrrrcaf.ysy
c:\windows\system32\drivers\wvkmpnyv.sys
c:\windows\system32\drivers\pknasbjt.sys
c:\windows\SYSTEM32\ugfonut.dll
c:\windows\system32\lokvbdj.dll

Folder::
c:\documents and settings\Julia\Application Data\fyvzeeij
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij
c:\documents and settings\NetworkService\Application Data\fyvzeeij

Next disable your antimalware and security program's active protection until Combofix is finished running.



Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (waterfall.exe)

This will cause ComboFix to run again.

After Combofix has finished, please re-enable your active protection.

Please copy and paste into your next reply (do NOT attach) the following three logs:


1. C:\Avenger.txt
2. C:\Combofix.txt
3. C:\Qoobox\ComboFix-quarantined-files.txt

[Alana]

I don't know what Avenger is - I didn't download anything today or use any script other than what was in your last post. I will follow the new steps tomorrow and post the new logs like you said.

Thank-you,

Alana

[Alana]

One more thing - when I ran Combofix today the first thing that happened was it said there was an update and did I want it so I clicked "yes" - I guess that constitutes a download.

Alana

[Alana]

Hello again -

I followed the instructions as closely as possible. The previous script was not on my desktop to delete since I had dragged it into the Combofix icon. I searched for the file but could not find it. Then I found it later after I had completed all the other steps - it had a longer name and was in a different place so I deleted it. Also, I had to change the fake name of Combofix. After I dragged in the new script and opened it, it asked if I wanted the update and I clicked no but then I changed my mind about that so to exit the program and start over I clicked no on the next window. When I started over, I got a pop-up that said I had to rename it.

Thanks for all of your help so far, and here are the logs you requested - I found the Avenger log, but that program is totally unfamiliar to me - I am usually very wary about downloading stuff:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: could not open file "c:\WINDOWS\SYSTEM32\lokvbdj.dll"
Deletion of file "c:\WINDOWS\SYSTEM32\lokvbdj.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "c:\WINDOWS\SYSTEM32\lokvbdj.dll"
Deletion of file "c:\WINDOWS\SYSTEM32\lokvbdj.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25}" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b129f4d-b0c3-4b14-b29f-921ccf9d8b25}" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uaclfwtu" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\uaclfwtu" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


ComboFix 09-04-25.A1 - Julia 04/25/2009 7:48.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.234 [GMT -7:00]
Running from: c:\documents and settings\Julia\Desktop\Gadget.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lokvbdj.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pknasbjt


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 14:44 . 2009-04-25 14:44 -------- d-----w C:\Waterfall
2009-04-22 18:19 . 2009-04-22 18:19 -------- d-----w c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij
2009-04-22 18:19 . 2009-04-22 18:19 -------- d-----w c:\documents and settings\Julia\Application Data\fyvzeeij
2009-04-22 17:30 . 2009-04-22 17:30 -------- d-sh--w C:\FOUND.012
2009-04-21 17:45 . 2009-04-21 17:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\fyvzeeij
2009-04-21 17:45 . 2009-04-21 17:45 -------- d-----w c:\documents and settings\NetworkService\Application Data\fyvzeeij
2009-04-21 15:50 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 15:50 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-19 14:31 . 2008-10-16 21:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-19 14:31 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-19 00:03 . 2009-04-19 00:03 -------- d-sh--w C:\FOUND.011
2009-04-18 23:55 . 2009-04-18 23:55 -------- d-sh--w c:\documents and settings\Jim\IETldCache
2009-04-18 23:44 . 2009-04-18 23:44 -------- d-sh--w C:\FOUND.010
2009-04-18 23:39 . 2009-04-25 14:53 0 ----a-w c:\windows\system32\NvApps.xml
2009-04-18 23:37 . 2009-04-18 23:37 -------- d-sh--w C:\FOUND.009
2009-04-18 23:29 . 2009-04-18 23:29 -------- d-sh--w C:\FOUND.008
2009-04-18 21:30 . 2009-04-18 21:30 -------- d-sh--w C:\FOUND.007
2009-04-18 20:23 . 2009-04-18 20:23 -------- d-----w C:\a6b12b8cec4c2970bad44265679938
2009-04-17 00:24 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:24 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:24 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:24 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 00:24 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:24 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:24 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:24 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:24 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:23 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 00:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:22 . 2009-04-15 15:22 -------- d-----w C:\btax
2009-04-15 01:36 . 2009-04-15 01:36 -------- d-sh--w C:\FOUND.006
2009-04-01 03:04 . 2009-04-01 03:04 -------- d-sh--w c:\documents and settings\Julia\IECompatCache
2009-03-31 14:58 . 2009-03-31 14:58 -------- d-----w c:\documents and settings\Julia\Local Settings\Application Data\Intuit
2009-03-31 13:45 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\windows\system32\XPSViewer
2009-03-30 18:16 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-03-30 18:16 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-03-30 18:16 . 2009-03-30 18:16 -------- d-----w c:\windows\SxsCaPendDel
2009-03-30 17:59 . 2009-03-30 17:59 -------- d-sh--w c:\documents and settings\Julia\PrivacIE
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\Julia\IETldCache
2009-03-30 17:44 . 2009-03-30 17:44 -------- d-----w c:\windows\ie8updates
2009-03-30 17:40 . 2009-03-30 17:40 -------- d--h--w c:\windows\ie8
2009-03-30 17:39 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 14:51 . 2009-04-25 14:51 2902 ----a-w C:\avenger.txt
2009-04-24 15:05 . 2002-08-29 19:00 23424 ----a-w c:\windows\system32\drivers\wvkmpnyv.sys
2009-04-23 16:48 . 2002-08-29 19:00 104448 ----a-w c:\windows\SYSTEM32\ugfonut.dll
2009-04-21 15:50 . 2009-04-21 15:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 03:15 . 2004-08-01 18:00 46512 ----a-w c:\documents and settings\Julia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 21:30 . 2004-07-30 15:08 90112 ----a-w c:\windows\DUMP81f4.tmp
2009-04-18 17:03 . 2009-04-18 17:03 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-18 16:14 . 2009-04-18 16:14 -------- d-----w c:\program files\Trend Micro
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\SYSTEM32\dllcache\ndis.sys
2009-03-31 14:51 . 2009-03-31 14:51 -------- d-----w c:\program files\TurboTax
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\MSBuild
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\Reference Assemblies
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\dllcache\kernel32.dll
2009-03-11 05:18 . 2006-04-10 20:00 934792 ------w c:\windows\SYSTEM32\dllcache\WgaTray.exe
2009-03-11 05:18 . 2006-04-10 20:00 239496 ------w c:\windows\SYSTEM32\dllcache\wgaLogon.dll
2009-03-08 21:09 . 2006-11-07 10:27 391536 ----a-w c:\windows\SYSTEM32\dllcache\iedkcs32.dll
2009-03-08 21:09 . 2006-10-17 19:04 638816 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-03-08 11:41 . 2006-05-19 18:06 5937152 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2009-03-08 11:39 . 2007-05-09 16:03 11063808 ----a-w c:\windows\SYSTEM32\dllcache\ieframe.dll
2009-03-08 11:34 . 2006-05-10 08:25 914944 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-03-08 11:34 . 2005-10-21 19:51 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 11:34 . 2006-05-10 08:25 1206784 ----a-w c:\windows\SYSTEM32\dllcache\urlmon.dll
2009-03-08 11:34 . 2006-11-08 04:03 236544 ----a-w c:\windows\SYSTEM32\dllcache\webcheck.dll
2009-03-08 11:34 . 2006-10-17 19:05 43008 ----a-w c:\windows\SYSTEM32\dllcache\licmgr10.dll
2009-03-08 11:34 . 2002-08-29 19:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 11:34 . 2006-10-17 19:05 105984 ----a-w c:\windows\SYSTEM32\dllcache\url.dll
2009-03-08 11:34 . 2006-10-17 19:04 109568 ----a-w c:\windows\SYSTEM32\dllcache\occache.dll
2009-03-08 11:34 . 2006-05-10 08:25 193536 ----a-w c:\windows\SYSTEM32\dllcache\msrating.dll
2009-03-08 11:33 . 2006-09-18 17:15 759296 ----a-w c:\windows\SYSTEM32\dllcache\VGX.dll
2009-03-08 11:33 . 2009-03-08 11:33 18944 ------w c:\windows\SYSTEM32\dllcache\corpol.dll
2009-03-08 11:33 . 2002-08-29 19:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 11:33 . 2006-05-10 08:25 25600 ----a-w c:\windows\SYSTEM32\dllcache\jsproxy.dll
2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\dllcache\jscript.dll
2009-03-08 11:33 . 2006-11-07 10:27 229376 ----a-w c:\windows\SYSTEM32\dllcache\ieaksie.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\dllcache\vbscript.dll
2009-03-08 11:33 . 2002-08-29 19:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 11:33 . 2006-11-07 10:26 125952 ----a-w c:\windows\SYSTEM32\dllcache\ieakeng.dll
2009-03-08 11:32 . 2006-11-07 10:26 72704 ----a-w c:\windows\SYSTEM32\dllcache\admparse.dll
2009-03-08 11:32 . 2002-08-29 19:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 11:32 . 2006-11-07 10:26 173056 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-03-08 11:32 . 2002-08-29 19:00 163840 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-03-08 11:32 . 2006-11-07 10:26 71680 ----a-w c:\windows\SYSTEM32\dllcache\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 55808 ----a-w c:\windows\SYSTEM32\dllcache\iernonce.dll
2009-03-08 11:32 . 2002-08-29 19:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 128512 ----a-w c:\windows\SYSTEM32\dllcache\advpack.dll
2009-03-08 11:32 . 2006-05-10 08:25 94720 ----a-w c:\windows\SYSTEM32\dllcache\inseng.dll
2009-03-08 11:32 . 2007-05-09 16:03 594432 ----a-w c:\windows\SYSTEM32\dllcache\msfeeds.dll
2009-03-08 11:32 . 2007-05-09 16:03 1985024 ----a-w c:\windows\SYSTEM32\dllcache\iertutil.dll
2009-03-08 11:32 . 2006-05-10 08:25 611840 ----a-w c:\windows\SYSTEM32\dllcache\mstime.dll
2009-03-08 11:24 . 2006-10-17 18:44 68608 ----a-w c:\windows\SYSTEM32\dllcache\hmmapi.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\dllcache\msls31.dll
2009-03-08 11:11 . 2007-05-09 16:03 445952 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2002-08-29 19:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-09 12:10 . 2002-08-29 19:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 06:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 19:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 19:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 02:01 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-08-29 19:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 02:02 . 2008-10-16 02:01 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 02:02 . 2002-08-29 08:04 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-07 04:07 . 2007-05-09 16:03 3698584 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2002-08-29 19:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-16 02:01 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2002-08-29 19:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 02:01 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-16 02:01 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2002-08-29 19:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-06-02 21:02 . 2007-06-02 21:02 37440 ----a-w c:\documents and settings\Julia\Application Data\GDIPFONTCACHEV1.DAT
2004-07-30 05:19 . 2004-07-30 05:19 266 --sh--w c:\program files\desktop.ini
2008-09-18 01:45 . 2008-09-18 01:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_16.52.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-08-29 19:00 . 2002-08-29 19:00 45824 c:\windows\SYSTEM32\jsxrtuyp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}]
2002-08-29 19:00 104448 ----a-w c:\windows\system32\lokvbdj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-06 185872]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3100672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-11-11 1519616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=

R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S0 eqrrrcaf;eqrrrcaf;c:\windows\system32\drivers\eqrrrcaf.sys [2002-08-29 23424]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: taxsoftware.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 07:53
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\nvwddi.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
c:\program files\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
c:\program files\NETWORK ASSOCIATES\VIRUSSCAN\VSTSKMGR.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
c:\program files\WINDOWS MEDIA PLAYER\WMPNETWK.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-04-25 7:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 14:56
ComboFix2.txt 2009-04-24 15:10

Pre-Run: 23,238,639,616 bytes free
Post-Run: 23,177,723,904 bytes free

243 --- E O F --- 2009-04-19 14:42




2009-04-25 14:52:11 . 2009-04-25 14:52:12 702,503 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_lokvbdj_.dll.zip
2009-04-24 15:08:18 . 2009-04-24 15:08:20 32,749 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_eqrrrcaf_.sys.zip
2009-04-24 15:07:17 . 2009-04-24 15:07:18 200,728 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_ugfonut_.dll.zip
2009-04-24 15:04:52 . 2009-04-24 15:04:54 6,874 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_eqrrrcaf.reg.dat
2009-04-24 15:04:52 . 2009-04-24 15:04:54 1,276 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_EQRRRCAF.reg.dat
2009-04-23 16:48:56 . 2009-04-25 14:49:50 1,812 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_pknasbjt.reg.dat
2009-04-23 16:48:55 . 2009-04-23 16:48:56 1,082 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_PKNASBJT.reg.dat
2009-04-23 16:48:49 . 2009-04-25 14:49:44 6,719 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-23 16:44:22 . 2009-04-25 14:52:12 2,206 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-18 00:23:04 . 2009-04-18 00:23:06 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nfr.assembly.vir

[negster22]

Thank you for not using other tools without my approval. I didn't think it jived with your careful approach but I did see the Avenger log that mysteriously appeared. It's possible it is being incorporated into one of the tools.

What is very strange about your last Combofix log is it doesn't reflect the script I gave you at all. Many of the items I scripted for deletion do not even appear in the log at all. I am thinking there may be some self-protecting malware going on here, that is substituting an old CFScript for a new one.

Please delete the old CFScript on your desktop.

I am going to give you a new CFScript to use this time that is very similar to the last one with an additional item to be deleted. Please be very sure that you use this current CFScript when launching Combofix, and not an older one. Make sure no other CFScript appears on your desktop or anywhere else renamed as you said happened last time. Delete all previous CFScript copies before creating this new one. After you create this new CFScript, right-click CFScript.txt before dragging it into gadget.exe and verify that the date and time listed in the File Properties, match the time and date of when you actually created it.

Create a new CFScript:

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}]

Driver::
wvkmpnyv
eqrrrcaf
pknasbjt

File::
c:\windows\SYSTEM32\jsxrtuyp.dat
c:\windows\system32\lokvbdj.dll
c:\windows\SYSTEM32\ugfonut.dll

Rootkit::
c:\windows\system32\drivers\wvkmpnyv.sys
c:\windows\system32\drivers\eqrrrcaf.sys
c:\windows\system32\drivers\pknasbjt.sys

Folder::
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij 
c:\documents and settings\Julia\Application Data\fyvzeeij
c:\documents and settings\NetworkService\Local Settings\Application Data\fyvzeeij
c:\documents and settings\NetworkService\Application Data\fyvzeeij

Next disable your antimalware and security program's active protection until Combofix is finished running.



Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (gadget.exe)

This will cause ComboFix to run again.

After Combofix has finished, please re-enable your active protection.

Please copy and paste into your next reply (do NOT attach)

1. C:\Combofix.txt
2. C:\Qoobox\ComboFix-quarantined-files.txt

Thanks for you patience this is a very tenacious infection.

[Alana]

Here are my latest logs - thanks again for all of your help!

Alana


ComboFix 09-04-25.A3 - Julia 04/25/2009 18:57.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.242 [GMT -7:00]
Running from: c:\documents and settings\Julia\Desktop\Gadget.exe
Command switches used :: c:\documents and settings\Julia\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\jsxrtuyp.dat
c:\windows\system32\lokvbdj.dll
c:\windows\SYSTEM32\ugfonut.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Julia\Application Data\fyvzeeij
c:\documents and settings\Julia\Application Data\fyvzeeij\profiles.ini
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\cert8.db
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\compatibility.ini
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\compreg.dat
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\cookies.sqlite
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\formhistory.sqlite
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\key3.db
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\localstore.rdf
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\permissions.sqlite
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\places.sqlite-journal
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\places.sqlite
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\pluginreg.dat
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\prefs.js
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\secmod.db
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\webappsstore.sqlite
c:\documents and settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\xpti.dat
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\urlclassifier3.sqlite
c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\fyvzeeij
c:\documents and settings\NetworkService\Application Data\fyvzeeij\profiles.ini
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\cert8.db
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\key3.db
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\prefs.js
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\secmod.db
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\fyvzeeij
c:\documents and settings\NetworkService\Local Settings\Application Data\fyvzeeij\Profiles\zgbhhrst.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\fyvzeeij\Profiles\zgbhhrst.default\XPC.mfl
c:\windows\system32\drivers\eqrrrcaf.sys
c:\windows\system32\drivers\wvkmpnyv.sys
c:\windows\SYSTEM32\jsxrtuyp.dat
c:\windows\system32\lokvbdj.dll . . . . failed to delete
c:\windows\SYSTEM32\ugfonut.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EQRRRCAF
-------\Service_eqrrrcaf
-------\Service_pknasbjt


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 14:44 . 2009-04-25 14:44 -------- d-----w C:\Waterfall
2009-04-22 17:30 . 2009-04-22 17:30 -------- d-sh--w C:\FOUND.012
2009-04-21 15:50 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 15:50 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 15:50 . 2009-04-21 15:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 14:31 . 2008-10-16 21:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-19 14:31 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-19 00:03 . 2009-04-19 00:03 -------- d-sh--w C:\FOUND.011
2009-04-18 23:55 . 2009-04-18 23:55 -------- d-sh--w c:\documents and settings\Jim\IETldCache
2009-04-18 23:44 . 2009-04-18 23:44 -------- d-sh--w C:\FOUND.010
2009-04-18 23:39 . 2009-04-26 02:02 0 ----a-w c:\windows\system32\NvApps.xml
2009-04-18 23:37 . 2009-04-18 23:37 -------- d-sh--w C:\FOUND.009
2009-04-18 23:29 . 2009-04-18 23:29 -------- d-sh--w C:\FOUND.008
2009-04-18 21:30 . 2009-04-18 21:30 -------- d-sh--w C:\FOUND.007
2009-04-18 20:23 . 2009-04-18 20:23 -------- d-----w C:\a6b12b8cec4c2970bad44265679938
2009-04-18 17:03 . 2009-04-18 17:03 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-18 16:14 . 2009-04-18 16:14 -------- d-----w c:\program files\Trend Micro
2009-04-17 00:24 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:24 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:24 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:24 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 00:24 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:24 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:24 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:24 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:24 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:23 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 00:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:22 . 2009-04-15 15:22 -------- d-----w C:\btax
2009-04-15 01:36 . 2009-04-15 01:36 -------- d-sh--w C:\FOUND.006
2009-04-01 03:04 . 2009-04-01 03:04 -------- d-sh--w c:\documents and settings\Julia\IECompatCache
2009-03-31 14:58 . 2009-03-31 14:58 -------- d-----w c:\documents and settings\Julia\Local Settings\Application Data\Intuit
2009-03-31 14:51 . 2009-03-31 14:51 -------- d-----w c:\program files\TurboTax
2009-03-31 13:45 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\windows\system32\XPSViewer
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\MSBuild
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\Reference Assemblies
2009-03-30 18:16 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-03-30 18:16 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-03-30 18:16 . 2009-03-30 18:16 -------- d-----w c:\windows\SxsCaPendDel
2009-03-30 17:59 . 2009-03-30 17:59 -------- d-sh--w c:\documents and settings\Julia\PrivacIE
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\Julia\IETldCache
2009-03-30 17:44 . 2009-03-30 17:44 -------- d-----w c:\windows\ie8updates
2009-03-30 17:40 . 2009-03-30 17:40 -------- d--h--w c:\windows\ie8
2009-03-30 17:39 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 15:05 . 2002-08-29 19:00 23424 ----a-w c:\windows\system32\drivers\wvkmpnyv.sys
2009-04-23 16:48 . 2002-08-29 19:00 104448 ----a-w c:\windows\SYSTEM32\ugfonut.dll
2009-04-19 03:15 . 2004-08-01 18:00 46512 ----a-w c:\documents and settings\Julia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 21:30 . 2004-07-30 15:08 90112 ----a-w c:\windows\DUMP81f4.tmp
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\SYSTEM32\dllcache\ndis.sys
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\dllcache\kernel32.dll
2009-03-11 05:18 . 2006-04-10 20:00 934792 ------w c:\windows\SYSTEM32\dllcache\WgaTray.exe
2009-03-11 05:18 . 2006-04-10 20:00 239496 ------w c:\windows\SYSTEM32\dllcache\wgaLogon.dll
2009-03-08 21:09 . 2006-11-07 10:27 391536 ----a-w c:\windows\SYSTEM32\dllcache\iedkcs32.dll
2009-03-08 21:09 . 2006-10-17 19:04 638816 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-03-08 11:41 . 2006-05-19 18:06 5937152 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2009-03-08 11:39 . 2007-05-09 16:03 11063808 ----a-w c:\windows\SYSTEM32\dllcache\ieframe.dll
2009-03-08 11:34 . 2006-05-10 08:25 914944 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-03-08 11:34 . 2005-10-21 19:51 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 11:34 . 2006-05-10 08:25 1206784 ----a-w c:\windows\SYSTEM32\dllcache\urlmon.dll
2009-03-08 11:34 . 2006-11-08 04:03 236544 ----a-w c:\windows\SYSTEM32\dllcache\webcheck.dll
2009-03-08 11:34 . 2006-10-17 19:05 43008 ----a-w c:\windows\SYSTEM32\dllcache\licmgr10.dll
2009-03-08 11:34 . 2002-08-29 19:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 11:34 . 2006-10-17 19:05 105984 ----a-w c:\windows\SYSTEM32\dllcache\url.dll
2009-03-08 11:34 . 2006-10-17 19:04 109568 ----a-w c:\windows\SYSTEM32\dllcache\occache.dll
2009-03-08 11:34 . 2006-05-10 08:25 193536 ----a-w c:\windows\SYSTEM32\dllcache\msrating.dll
2009-03-08 11:33 . 2006-09-18 17:15 759296 ----a-w c:\windows\SYSTEM32\dllcache\VGX.dll
2009-03-08 11:33 . 2009-03-08 11:33 18944 ------w c:\windows\SYSTEM32\dllcache\corpol.dll
2009-03-08 11:33 . 2002-08-29 19:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 11:33 . 2006-05-10 08:25 25600 ----a-w c:\windows\SYSTEM32\dllcache\jsproxy.dll
2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\dllcache\jscript.dll
2009-03-08 11:33 . 2006-11-07 10:27 229376 ----a-w c:\windows\SYSTEM32\dllcache\ieaksie.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\dllcache\vbscript.dll
2009-03-08 11:33 . 2002-08-29 19:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 11:33 . 2006-11-07 10:26 125952 ----a-w c:\windows\SYSTEM32\dllcache\ieakeng.dll
2009-03-08 11:32 . 2006-11-07 10:26 72704 ----a-w c:\windows\SYSTEM32\dllcache\admparse.dll
2009-03-08 11:32 . 2002-08-29 19:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 11:32 . 2006-11-07 10:26 173056 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-03-08 11:32 . 2002-08-29 19:00 163840 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-03-08 11:32 . 2006-11-07 10:26 71680 ----a-w c:\windows\SYSTEM32\dllcache\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 55808 ----a-w c:\windows\SYSTEM32\dllcache\iernonce.dll
2009-03-08 11:32 . 2002-08-29 19:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 128512 ----a-w c:\windows\SYSTEM32\dllcache\advpack.dll
2009-03-08 11:32 . 2006-05-10 08:25 94720 ----a-w c:\windows\SYSTEM32\dllcache\inseng.dll
2009-03-08 11:32 . 2007-05-09 16:03 594432 ----a-w c:\windows\SYSTEM32\dllcache\msfeeds.dll
2009-03-08 11:32 . 2007-05-09 16:03 1985024 ----a-w c:\windows\SYSTEM32\dllcache\iertutil.dll
2009-03-08 11:32 . 2006-05-10 08:25 611840 ----a-w c:\windows\SYSTEM32\dllcache\mstime.dll
2009-03-08 11:24 . 2006-10-17 18:44 68608 ----a-w c:\windows\SYSTEM32\dllcache\hmmapi.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\dllcache\msls31.dll
2009-03-08 11:11 . 2007-05-09 16:03 445952 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2002-08-29 19:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-09 12:10 . 2002-08-29 19:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 06:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 19:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 19:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 02:01 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-08-29 19:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 02:02 . 2008-10-16 02:01 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 02:02 . 2002-08-29 08:04 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-07 04:07 . 2007-05-09 16:03 3698584 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2002-08-29 19:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-16 02:01 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2002-08-29 19:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 02:01 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-16 02:01 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2002-08-29 19:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-06-02 21:02 . 2007-06-02 21:02 37440 ----a-w c:\documents and settings\Julia\Application Data\GDIPFONTCACHEV1.DAT
2004-07-30 05:19 . 2004-07-30 05:19 266 --sh--w c:\program files\desktop.ini
2008-09-18 01:45 . 2008-09-18 01:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}]
2002-08-29 19:00 104448 ----a-w c:\windows\system32\lokvbdj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-06 185872]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3100672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-11-11 1519616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uaclfwtu]
2002-08-29 19:00 104448 ----a-w c:\windows\SYSTEM32\lokvbdj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=

R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S0 eqrrrcaf;eqrrrcaf;c:\windows\system32\drivers\eqrrrcaf.sys [2002-08-29 23424]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - EQRRRCAF

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: taxsoftware.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 19:02
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\lokvbdj.dll
c:\windows\system32\libssl32.dll
c:\windows\system32\LIBEAY32.dll

- - - - - - - > 'explorer.exe'(3880)
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\nvwddi.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\lokvbdj.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
c:\program files\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
c:\program files\NETWORK ASSOCIATES\VIRUSSCAN\VSTSKMGR.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
c:\program files\WINDOWS MEDIA PLAYER\WMPNETWK.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-04-26 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 02:05
ComboFix2.txt 2009-04-24 15:10

Pre-Run: 23,250,173,952 bytes free
Post-Run: 23,308,795,904 bytes free

293 --- E O F --- 2009-04-19 14:42


2009-04-26 02:03:22 . 2009-04-26 02:03:24 32,750 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_wvkmpnyv_.sys.zip
2009-04-26 02:03:19 . 2009-04-26 02:03:20 65,481 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_eqrrrcaf_.sys.zip
2009-04-26 02:01:12 . 2009-04-26 02:01:14 401,438 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_ugfonut_.dll.zip
2009-04-26 02:01:12 . 2009-04-26 02:01:14 903,213 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_lokvbdj_.dll.zip
2009-04-24 15:04:52 . 2009-04-26 01:59:06 6,874 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_eqrrrcaf.reg.dat
2009-04-24 15:04:52 . 2009-04-26 01:59:06 1,390 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_EQRRRCAF.reg.dat
2009-04-23 16:48:56 . 2009-04-26 01:59:06 1,872 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_pknasbjt.reg.dat
2009-04-23 16:48:55 . 2009-04-23 16:48:56 1,082 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_PKNASBJT.reg.dat
2009-04-23 16:48:49 . 2009-04-26 01:59:00 6,719 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-23 16:44:22 . 2009-04-26 02:03:24 3,827 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-22 20:23:29 . 2009-04-22 20:23:30 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\prefs.js.vir
2009-04-22 18:19:43 . 2009-04-22 18:19:44 570 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\localstore.rdf.vir
2009-04-22 18:19:37 . 2009-04-22 18:19:38 9,838 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\pluginreg.dat.vir
2009-04-22 18:19:31 . 2009-04-22 20:23:42 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\webappsstore.sqlite.vir
2009-04-22 18:19:30 . 2009-04-22 18:21:22 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\formhistory.sqlite.vir
2009-04-22 18:19:28 . 2009-04-22 18:21:22 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Local Settings\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\urlclassifier3.sqlite.vir
2009-04-22 18:19:28 . 2009-04-22 20:23:42 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\places.sqlite.vir
2009-04-22 18:19:28 . 2009-04-22 20:23:42 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\places.sqlite-journal.vir
2009-04-22 18:19:28 . 2009-04-22 18:21:22 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\key3.db.vir
2009-04-22 18:19:28 . 2009-04-22 18:21:22 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\cert8.db.vir
2009-04-22 18:19:28 . 2009-04-22 18:19:30 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\secmod.db.vir
2009-04-22 18:19:27 . 2009-04-22 20:23:42 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\cookies.sqlite.vir
2009-04-22 18:19:25 . 2009-04-22 18:19:28 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\permissions.sqlite.vir
2009-04-22 18:19:25 . 2009-04-22 20:23:30 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\compreg.dat.vir
2009-04-22 18:19:25 . 2009-04-22 20:23:42 348,328 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Local Settings\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\XPC.mfl.vir
2009-04-22 18:19:25 . 2009-04-22 20:23:28 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\xpti.dat.vir
2009-04-22 18:19:25 . 2009-04-22 20:23:28 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\Profiles\iqzsi4lz.default\compatibility.ini.vir
2009-04-22 18:19:25 . 2009-04-22 18:19:26 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Julia\Application Data\fyvzeeij\profiles.ini.vir
2009-04-21 19:21:57 . 2009-04-21 19:21:58 536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\prefs.js.vir
2009-04-21 17:45:19 . 2009-04-21 17:45:20 570 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\localstore.rdf.vir
2009-04-21 17:45:09 . 2009-04-21 17:45:10 9,838 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\pluginreg.dat.vir
2009-04-21 17:45:08 . 2009-04-21 19:22:00 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\webappsstore.sqlite.vir
2009-04-21 17:45:06 . 2009-04-21 17:46:34 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\formhistory.sqlite.vir
2009-04-21 17:45:05 . 2009-04-21 19:21:58 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\places.sqlite.vir
2009-04-21 17:45:05 . 2009-04-21 17:46:34 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\fyvzeeij\Profiles\zgbhhrst.default\urlclassifier3.sqlite.vir
2009-04-21 17:45:05 . 2009-04-21 19:21:58 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\key3.db.vir
2009-04-21 17:45:05 . 2009-04-21 19:21:58 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\cert8.db.vir
2009-04-21 17:45:05 . 2009-04-21 17:45:06 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\secmod.db.vir
2009-04-21 17:45:05 . 2009-04-21 19:22:00 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\cookies.sqlite.vir
2009-04-21 17:45:03 . 2009-04-21 17:45:06 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\permissions.sqlite.vir
2009-04-21 17:45:03 . 2009-04-21 19:18:32 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\compreg.dat.vir
2009-04-21 17:45:03 . 2009-04-21 19:18:46 378,058 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\fyvzeeij\Profiles\zgbhhrst.default\XPC.mfl.vir
2009-04-21 17:45:03 . 2009-04-21 19:18:30 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\xpti.dat.vir
2009-04-21 17:45:03 . 2009-04-21 19:18:30 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\Profiles\zgbhhrst.default\compatibility.ini.vir
2009-04-21 17:45:03 . 2009-04-21 17:45:04 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\fyvzeeij\profiles.ini.vir
2009-04-18 00:23:04 . 2009-04-18 00:23:06 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nfr.assembly.vir
2002-08-29 19:00:00 . 2002-08-29 19:00:00 50,944 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jsxrtuyp.dat.vir

[negster22]

You're welcome! Unfortunately, you are still infected, so we'll try another program, as well.

Remember the Avenger? Well, we're going to use that program now.

Download The Avenger by Swandog46:
http://swandog46.gee...r2/download.php

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to launch Avenger.
  
• Click OK.
  
• Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is UNchecked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Drivers to delete:
eqrrrcaf
wvkmpnyv
pknasbjt
LEGACY_EQRRRCAF
LEGACY_WVKMPNYV
LEGACY_PKNASBJT

Files to Delete:
c:\windows\system32\drivers\eqrrrcaf.sys
c:\windows\system32\drivers\wvkmpnyv.sys
c:\windows\system32\drivers\pknasbjt.sys
c:\windows\system32\lokvbdj.dll
c:\windows\SYSTEM32\ugfonut.dll
c:\windows\SYSTEM32\jsxrtuyp.dat

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uaclfwtu
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}

• Click the Execute button.
  
• You will be prompted with "Are you sure you want to execute the current script?"
  
• Click "Yes"
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click "Yes".
  
• Your PC will reboot.
  
• After your PC has completed the necessary reboot, a log should automatically open.
  
• If it the log does not automatically open, then it can be found at C:\avenger.txt
  
• Please post the Avenger log, along with a new HijackThis log in your next reply.

Now, I want you to disable all security program active protection.

I want you to launch Combofix (with no script) by double-clicking gadget.exe on your desktop.

Let Combofix run to completion, and then after the log is produced, re-enable your active protection.

Please post back the following items:
1. C:\avenger.txt
2. C:\Combofix.txt
3. A new HJT log

Also, do you have the Recovery Console installed because we may have to boot to the recovery console to remove some persistent infected components?

[Alana]

Hello negster22 -

Believe it or not, I think your last script did the trick! I am pasting all of the logs you requested plus a new malwarebytes log which actually makes the extravagant claim that my computer is no longer infected! If this is true, I plan to party heavily for many days!

Anyway, here are my logs, and many thanks once again!

Alana

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "eqrrrcaf" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\wvkmpnyv" not found!
Deletion of driver "wvkmpnyv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "pknasbjt" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_EQRRRCAF" not found!
Deletion of driver "LEGACY_EQRRRCAF" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_WVKMPNYV" not found!
Deletion of driver "LEGACY_WVKMPNYV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\LEGACY_PKNASBJT" not found!
Deletion of driver "LEGACY_PKNASBJT" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\drivers\eqrrrcaf.sys" deleted successfully.
File "c:\windows\system32\drivers\wvkmpnyv.sys" deleted successfully.

Error: file "c:\windows\system32\drivers\pknasbjt.sys" not found!
Deletion of file "c:\windows\system32\drivers\pknasbjt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\lokvbdj.dll" deleted successfully.
File "c:\windows\SYSTEM32\ugfonut.dll" deleted successfully.
File "c:\windows\SYSTEM32\jsxrtuyp.dat" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uaclfwtu" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-04-25.A3 - Julia 04/27/2009 9:12.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.215 [GMT -7:00]
Running from: c:\documents and settings\Julia\Desktop\Trajectory.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 15:22 . 2009-04-27 15:22 -------- d-----w c:\documents and settings\Julia\Local Settings\Application Data\fyvzeeij
2009-04-27 15:22 . 2009-04-27 15:22 -------- d-----w c:\documents and settings\Julia\Application Data\fyvzeeij
2009-04-26 01:56 . 2009-04-26 01:56 -------- d-----w C:\Gadget
2009-04-25 14:44 . 2009-04-25 14:44 -------- d-----w C:\Waterfall
2009-04-22 17:30 . 2009-04-22 17:30 -------- d-sh--w C:\FOUND.012
2009-04-21 15:50 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 15:50 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 15:50 . 2009-04-21 15:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 14:31 . 2008-10-16 21:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-19 14:31 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-19 00:03 . 2009-04-19 00:03 -------- d-sh--w C:\FOUND.011
2009-04-18 23:55 . 2009-04-18 23:55 -------- d-sh--w c:\documents and settings\Jim\IETldCache
2009-04-18 23:44 . 2009-04-18 23:44 -------- d-sh--w C:\FOUND.010
2009-04-18 23:39 . 2009-04-27 16:01 0 ----a-w c:\windows\system32\NvApps.xml
2009-04-18 23:37 . 2009-04-18 23:37 -------- d-sh--w C:\FOUND.009
2009-04-18 23:29 . 2009-04-18 23:29 -------- d-sh--w C:\FOUND.008
2009-04-18 21:30 . 2009-04-18 21:30 -------- d-sh--w C:\FOUND.007
2009-04-18 20:23 . 2009-04-18 20:23 -------- d-----w C:\a6b12b8cec4c2970bad44265679938
2009-04-18 17:03 . 2009-04-18 17:03 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-18 16:14 . 2009-04-18 16:14 -------- d-----w c:\program files\Trend Micro
2009-04-17 00:24 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:24 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:24 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:24 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 00:24 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:24 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:24 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:24 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:24 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:23 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:23 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 00:23 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:22 . 2009-04-15 15:22 -------- d-----w C:\btax
2009-04-15 01:36 . 2009-04-15 01:36 -------- d-sh--w C:\FOUND.006
2009-04-01 03:04 . 2009-04-01 03:04 -------- d-sh--w c:\documents and settings\Julia\IECompatCache
2009-03-31 14:58 . 2009-03-31 14:58 -------- d-----w c:\documents and settings\Julia\Local Settings\Application Data\Intuit
2009-03-31 14:51 . 2009-03-31 14:51 -------- d-----w c:\program files\TurboTax
2009-03-31 13:45 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\windows\system32\XPSViewer
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\MSBuild
2009-03-30 18:17 . 2009-03-30 18:17 -------- d-----w c:\program files\Reference Assemblies
2009-03-30 18:16 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-30 18:16 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-03-30 18:16 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-03-30 18:16 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-03-30 18:16 . 2009-03-30 18:16 -------- d-----w c:\windows\SxsCaPendDel
2009-03-30 17:59 . 2009-03-30 17:59 -------- d-sh--w c:\documents and settings\Julia\PrivacIE
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-30 17:58 . 2009-03-30 17:58 -------- d-sh--w c:\documents and settings\Julia\IETldCache
2009-03-30 17:44 . 2009-03-30 17:44 -------- d-----w c:\windows\ie8updates
2009-03-30 17:40 . 2009-03-30 17:40 -------- d--h--w c:\windows\ie8
2009-03-30 17:39 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 03:15 . 2004-08-01 18:00 46512 ----a-w c:\documents and settings\Julia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 21:30 . 2004-07-30 15:08 90112 ----a-w c:\windows\DUMP81f4.tmp
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 01:28 . 2002-08-29 19:00 182656 ----a-w c:\windows\SYSTEM32\dllcache\ndis.sys
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\dllcache\kernel32.dll
2009-03-11 05:18 . 2006-04-10 20:00 934792 ------w c:\windows\SYSTEM32\dllcache\WgaTray.exe
2009-03-11 05:18 . 2006-04-10 20:00 239496 ------w c:\windows\SYSTEM32\dllcache\wgaLogon.dll
2009-03-08 21:09 . 2006-11-07 10:27 391536 ----a-w c:\windows\SYSTEM32\dllcache\iedkcs32.dll
2009-03-08 21:09 . 2006-10-17 19:04 638816 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-03-08 11:41 . 2006-05-19 18:06 5937152 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2009-03-08 11:39 . 2007-05-09 16:03 11063808 ----a-w c:\windows\SYSTEM32\dllcache\ieframe.dll
2009-03-08 11:34 . 2006-05-10 08:25 914944 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-03-08 11:34 . 2005-10-21 19:51 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 11:34 . 2006-05-10 08:25 1206784 ----a-w c:\windows\SYSTEM32\dllcache\urlmon.dll
2009-03-08 11:34 . 2006-11-08 04:03 236544 ----a-w c:\windows\SYSTEM32\dllcache\webcheck.dll
2009-03-08 11:34 . 2006-10-17 19:05 43008 ----a-w c:\windows\SYSTEM32\dllcache\licmgr10.dll
2009-03-08 11:34 . 2002-08-29 19:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 11:34 . 2006-10-17 19:05 105984 ----a-w c:\windows\SYSTEM32\dllcache\url.dll
2009-03-08 11:34 . 2006-10-17 19:04 109568 ----a-w c:\windows\SYSTEM32\dllcache\occache.dll
2009-03-08 11:34 . 2006-05-10 08:25 193536 ----a-w c:\windows\SYSTEM32\dllcache\msrating.dll
2009-03-08 11:33 . 2006-09-18 17:15 759296 ----a-w c:\windows\SYSTEM32\dllcache\VGX.dll
2009-03-08 11:33 . 2009-03-08 11:33 18944 ------w c:\windows\SYSTEM32\dllcache\corpol.dll
2009-03-08 11:33 . 2002-08-29 19:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 11:33 . 2006-05-10 08:25 25600 ----a-w c:\windows\SYSTEM32\dllcache\jsproxy.dll
2009-03-08 11:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\dllcache\jscript.dll
2009-03-08 11:33 . 2006-11-07 10:27 229376 ----a-w c:\windows\SYSTEM32\dllcache\ieaksie.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\dllcache\vbscript.dll
2009-03-08 11:33 . 2002-08-29 19:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 11:33 . 2006-11-07 10:26 125952 ----a-w c:\windows\SYSTEM32\dllcache\ieakeng.dll
2009-03-08 11:32 . 2006-11-07 10:26 72704 ----a-w c:\windows\SYSTEM32\dllcache\admparse.dll
2009-03-08 11:32 . 2002-08-29 19:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 11:32 . 2006-11-07 10:26 173056 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-03-08 11:32 . 2002-08-29 19:00 163840 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-03-08 11:32 . 2006-11-07 10:26 71680 ----a-w c:\windows\SYSTEM32\dllcache\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 55808 ----a-w c:\windows\SYSTEM32\dllcache\iernonce.dll
2009-03-08 11:32 . 2002-08-29 19:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 11:32 . 2006-11-07 10:26 128512 ----a-w c:\windows\SYSTEM32\dllcache\advpack.dll
2009-03-08 11:32 . 2006-05-10 08:25 94720 ----a-w c:\windows\SYSTEM32\dllcache\inseng.dll
2009-03-08 11:32 . 2007-05-09 16:03 594432 ----a-w c:\windows\SYSTEM32\dllcache\msfeeds.dll
2009-03-08 11:32 . 2007-05-09 16:03 1985024 ----a-w c:\windows\SYSTEM32\dllcache\iertutil.dll
2009-03-08 11:32 . 2006-05-10 08:25 611840 ----a-w c:\windows\SYSTEM32\dllcache\mstime.dll
2009-03-08 11:24 . 2006-10-17 18:44 68608 ----a-w c:\windows\SYSTEM32\dllcache\hmmapi.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-08 11:22 . 2002-08-29 19:00 156160 ----a-w c:\windows\SYSTEM32\dllcache\msls31.dll
2009-03-08 11:11 . 2007-05-09 16:03 445952 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2002-08-29 19:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-09 12:10 . 2002-08-29 19:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 06:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 19:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 19:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 02:01 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2002-08-29 19:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 02:02 . 2008-10-16 02:01 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 02:02 . 2002-08-29 08:04 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-07 04:07 . 2007-05-09 16:03 3698584 ----a-w c:\windows\SYSTEM32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2002-08-29 19:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-16 02:01 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2002-08-29 19:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 02:01 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2002-08-29 19:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-16 02:01 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2002-08-29 19:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-06-02 21:02 . 2007-06-02 21:02 37440 ----a-w c:\documents and settings\Julia\Application Data\GDIPFONTCACHEV1.DAT
2004-07-30 05:19 . 2004-07-30 05:19 266 --sh--w c:\program files\desktop.ini
2008-09-18 01:45 . 2008-09-18 01:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-06 185872]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3100672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-11-11 1519616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=

R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pknasbjt

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{2B129F4D-B0C3-4B14-B29F-921CCF9D8B25} - c:\windows\system32\lokvbdj.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: taxsoftware.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 09:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\nvwddi.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-04-27 9:15
ComboFix-quarantined-files.txt 2009-04-27 16:15
ComboFix2.txt 2009-04-24 15:10

Pre-Run: 23,365,353,472 bytes free
Post-Run: 23,374,823,424 bytes free

214 --- E O F --- 2009-04-19 14:42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:02 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\CF31775.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.taxsoftware.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240109255031
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5518 bytes

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3

4/27/2009 9:41:02 AM
mbam-log-2009-04-27 (09-41-02).txt

Scan type: Quick Scan
Objects scanned: 76255
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Alana]

One more thing -

I just took a look at the running processes on my computer which are now fewer than there were before (yay!). There is one that was generated by ComboFix - CF31775.exe. (The last time I ran ComboFix, it complained about the name Gadget, so I had to rename it Trajectory. I wondered if the CF referred to ComboFix, and then I found CF31775 in C:\Trajectory.) If my Trojan is gone, should I delete ComboFix and Avenger? Is ComboFix still supposed to be running a process?

Thank-you,

Alana

[negster22]

Avenger seems to have done the job all right!!

Before deleting anything (and partying), I'd like to get some malware samples of the files removed on your computer by Avenger.

Avenger creates a backup archive of all files and registry entries it removes in this location:
C:\avenger\backup.zip

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:
http://www.malwarebytes.org/forums/index.p...amp;#entry76587

Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:
C:\avenger\backup.zip
Or just browse to that location in your file system by clicking the "Browse" button.

Then click 'Send File'

Let me know when that has been done, and thank you! This will enable us to improve MBAM's detection and removal capabilities.

The process you're referring to CF31775.exe is indeed part of Combofix, and it is only a renamed copy cmd.exe that is running. You can safely end that, but you may just want to perform the following instructions, as it will not relaunch on reboot.

I'd also like you to clean all your temps with ATF Cleaner, again.
Then disable all active protection.
Then reboot and run another "Rootkit/Malware" scan by launching the randomly named EXE in your C:\ARK folder.
Please save the antirootkit scan log by copying and pasting it to a Notepad file, and then paste the results back in your next reply. Re-enable all active protection.

[Alana]

Hello again - I posted the avenger file to the submission webpage, and I followed all of the other steps hopefully correctly.

Thanks again, and here is my antirootkit log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 14:19:28
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

---- EOF - GMER 1.0.15 ----

[negster22]

Good job, Alana! Your computer is clean now.

Thank you for the file submission.

The antirootkit scan results are perfect.

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line (include the quotes) into the Open box and click OK.

"%userprofile%\desktop\Trajectory.exe" /u

Note: You will have to issue the above command for all renamed combofix EXEs that you have launched. For example, to remove gadget.exe and its associated files, repeat the above - but copy/paste the following on the run line and then click OK:
"%userprofile%\desktop\gadger.exe" /u


This will do th following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock

Also, delete the following folders and their contents:
C:\Avenger\
C:\ARK\

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[Alana]

Hello negster22 -

One last update - I was able to uninstall ComboFix and delete the Avenger and ARK files, and I have also been working through the other suggestions you made to keep my machine from getting re-infected. Hopefully I won't be back on this forum with another Trojan for awhile, but I'd like to thank-you a million for all of your help!

Alana