0

I've been fighting through a fairly nasty infection and I'm left with one resistant creature that resists the best efforts of the normally available tools. Probably most noteworthy is that a Google search on the culprit returns absolutely no results at all... when have you ever heard of that happening? On the off chance that this might be something new, I thought I'd better start a new thread.

At this point my system is pretty well cleaned up. I've run both HJT and Security Task Manager to whittle down running tasks, IE add-ons, and HJT log entries down to next to nothing. A full scan with Ad-aware has run clean and a run of AVG (ewido) gives 4 detected respawning objects: 3 cookies and 1 trojan (C:\System Volume Information\_restore{21D7D692-4662-421F-39B0-877BC3820711}\RP1417\A0100808.vbs). There is, however, clearly something very nasty remaining.

Two symptoms: 1) with my ethernet connection disabled, occasionally a window pops up asking me me if I want to work offline, and 2) Security Task Manager still shows an IE add-on that I can't eliminate.

There were two offending IE add-ons that were identified by STM: wvuussr.dll and rqrst.dll. Both of these are of the type that get loaded early in the bootup cycle and regenerate their registry entries, so they can't just be deleted in the normal ways. I entered Safe Mode, ran HJT and marked both files to be deleted on reboot. rqrst.dll went away, but wvuussr.dll remains. I've tried this with wvuussr two additional times and it just doesn't want to die. (Try Googling wvuussr.dll... nothing found!) At the end of this I'm appending the HJT log after a normal boot. I've also included three attachments: 1) hijackthisSafe.log is an HJT log after reboot in Safe Mode, 2) hijackthisStart is the HJT log given below from just after a normal boot, and 3) is a tidied-up version of the list of window processes exported from Security Task Manager.

If anyone can help with this, I'd be grateful. My last resort is to write an app that stomps on the filename in the filesystem entry. As you might guess, I'm reluctant to do this except as a LAST resort.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:05 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\packages\VerminTools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Attachments
Security Task Manager: Computer ..., User ..., 2/8/2007 3:23:34 PM

Name 			Rating 	Memory 	Active 	File 						Type 	Title, Description 	Manufacturer : product

wvuussr.dll		92%			C:\WINDOWS\system32\wvuussr.dll			Internet (Browser Extension)	-
Alps Pointing-device ...74%	6.0 MB		C:\Program Files\Apoint\Apoint.exe		Program	Europa	Alps Electric Co., Ltd. : Alps Pointing-device Driver
AVG Anti-Spyware guard	42%	1.0 MB	0:02	C:\Program Files\Grisoft\AVG ...\guard.exe	Program	Anti-Malware Development a.s. : AVG Anti-Spyware
PRISMSVR.EXE" /APPLY	21%			"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY	Program	PRISMSVR.EXE (not active)	-
Microsoft SQL Server ...21%	1.1 MB	0:01	c:\Program Files\Mic...\MSSQL\Binn\sqlservr.exe	Program	SQL Server Windows NT - NT INTEL X86	Microsoft Corporation : Microsoft SQL Server
NVIDIA Driver Helper ...17%	2.0 MB		C:\WINDOWS\System32\nvsvc32.exe			Program	NVSVCPMMWindowClass	NVIDIA Corporation : NVIDIA Driver Helper Service, Version 44.82
Alps Pointing-device ...17%	1.6 MB		C:\Program Files\Apoint\Apntex.exe		Program	C:\Program Files\Apoint\Apntex.exe	Alps Electric Co., Ltd. : Alps Pointing-device Driver for Windows NT/2000
NVIDIA Display Prop  ...0%			C:\WINDOWS\System32\NvCpl.dll			Program	NvCplDaemon (not active)	NVIDIA Corporation : NVIDIA Compatible Windows 2000 Display driver, Version 44.82 
NVIDIA nView Wizard, ...0%			C:\WINDOWS\system32\nwiz.exe			Program	nwiz (not active)	NVIDIA Corporation : NVIDIA nView Wizard, Version 44.82 
Security Task Manager	0%	11.5 MB	0:04	C:\Program Files\Security Task ...\TaskMan.exe	Program	Security Task Manager	A. & M. Neuber Software : Security Task Manager
Windows Explorer	0%	20.5 MB	0:10	C:\WINDOWS\Explorer.EXE				Program	Microsoft Corporation : Microsoft Windows Operating System
3
Contributors
12
Replies
13
Views
10 Years
Discussion Span
Last Post by crunchie
0

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

0

SmitFraudFix v2.141
Scan done at 9:35:03.69, Fri 02/09/2007
Run from C:\packages\VerminTools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\svchosts.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\John\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End

0

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

0

Thanks. I did this after your initial post, with no improvement. It did remove a bad svchost file, but this is just a secondary symptom that seems to be correctable with the conventional tools. I'm pretty convinced all the respawnings point back to C:\Windows\SYSTEM32\wvuussr.dll ... and as yet, I still haven't found a way to remove it.

0

I do not want to get in Crunchie's way here, but try this:

1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. DoubleClick combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Please submit that for us.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall...


-- Rename HijackThis.exe to something else such as HJTscan.exe. Certain baddies such as VUNDOhide from HijackThis.exe. Your symptoms sound like VUNDO - though I doubt the BHO is VUNDO-related because it is showing in the log.
A Combofix log will tell a bit more... . .


And, you've got this piece of adware:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Probably partially cleaned by one of your antispy apps. I don't see a resident AV. . .. - that would probably have gotten it as well.
You might want to double-check this . . . And certainly delete C:\WINDOWS\Sm9obg

I will butt out now - hate to step on a moderator's toes! :cool:


Best Luck :)
PP

0

Very handy tool... thanks. I've posted the log below, but I've also added it as an attachment to make reading it easier.

I have a few comments to add: The BHO and Winlogon entries in the HJT log do not appear after every reboot; EVERY time after I clean everything out after a reboot, a companion SYSTEM32 dll file turns up in my Security Task Manager list - I can't make wvuussr.dll go away, but the others can be coerced - if I kill off rqrts.dll, go into safe mode and remove the file, then on the next reboot I get something that replaces rqrts.dll, but with a completely new name, like xxyvv.dll or gdqiosko.dll, etc.. - it seems like the name is generated at random (which would be pretty smart for a trojan trying to stay hidden); also I could not see the directory Sm9obg with Windows Explorer, but I could with Command Prompt (yes, I can see all of the other hidden and system files); and yes, I normally do have AVG running, but I had shut it down to get the bare minimum number of processes running.

And please don't butt out... I'm an old OS internals guy and one thing I learned early on is that no one person has every gem at his fingertips. The more people I ping the smarter I get. I've resisted delving into NT/XP internals, but I probably won't let this go until I understand how a file can be kept from being deleted during boot cycle. (Btw, while I may be Reds fan, I have still enjoyed watching the Phillies play at old Crawsley Field, Riverfront, Wrigley, St. Louis, San Diego, Dodger Stadium, and Candlestick.)

"John" - 07-02-09 19:12:42 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 15:33 990,157 ---hs---- C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33 118,804 --a------ C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42 277,146 ---hs---- C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39 118,804 --a------ C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02 <DIR> d-------- C:\Program Files\Security Task Manager2
2007-02-08 12:01 <DIR> d-------- C:\Program Files\Security Task Manager
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-08 01:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-08 01:30 <DIR> d-------- C:\Program Files\Grisoft
2007-02-07 23:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-07 23:18 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-07 23:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-06 18:55 22,686 ---h----- C:\WINDOWS\SYSTEM32\wvuussr.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-05 16:26 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-09 15:42 -------- d-------- C:\Program Files\apoint
2007-02-08 13:10 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-08 13:08 -------- d-------- C:\Program Files\microsoft works
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg
2006-12-13 18:03 -------- d-------- C:\Program Files\Common Files\symantec shared


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"nwiz"="nwiz.exe /installquiet"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6AAC65E6-4DE2-4766-9352-2960C2BC6F54}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuussr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070209-153851-808
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fgwgrewt.dll",setvm
backup-20070209-102249-104
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102249-431
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070209-102203-332
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102202-706
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll (file missing)
backup-20070209-102202-133
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070208-232315-355
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uoeoeloc.dll",setvm
backup-20070208-144709-400
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-439
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-974
O20 - Winlogon Notify: rqrst - C:\WINDOWS\system32\rqrst.dll
backup-20070208-140056-884
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070208-115122-325
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
backup-20070208-114326-334
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
backup-20070208-114326-305
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20070208-113639-276
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
backup-20070208-105254-635
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\xspflmnq.dll",setvm
backup-20070208-104504-898
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070208-102341-557
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\iwinmkqa.dll",setvm
backup-20070208-102202-207
backup-20070208-102127-870
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20070208-102044-544
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20070208-101938-871
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20070208-101938-793
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20070208-101938-772
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20070208-101938-729
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20070208-101938-818
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20070208-101938-342
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
backup-20070208-101938-468
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070208-101938-810
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
backup-20070208-101938-806
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
backup-20070208-101938-475
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20070208-101938-543
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
backup-20070208-101938-721
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
backup-20070208-101647-376
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070208-101647-404
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070208-101647-981
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
backup-20070208-101647-536
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL (file missing)
backup-20070207-232429-731
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-232429-813
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-230404-828
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
backup-20070207-230114-367
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-230114-197
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
backup-20070207-230006-866
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-230006-656
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-225923-548
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-225923-631
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
backup-20070207-224123-140
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
backup-20070207-223600-298
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-09 19:25:27

Attachments
"John" - 07-02-09 19:12:42    Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook


(((((((((((((((((((((((((((((((   Files Created from 2007-01-09 to 2007-02-09  ))))))))))))))))))))))))))))))))))
 
 
2007-02-09 15:33	990,157	---hs----	C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33	118,804	--a------	C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42	277,146	---hs----	C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42	277,146	---------	C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42	277,146	---------	C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10	1,534	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39	991,069	---hs----	C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39	76,412	--a------	C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39	118,804	--a------	C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02	<DIR>	d--------	C:\Program Files\Security Task Manager2
2007-02-08 12:01	<DIR>	d--------	C:\Program Files\Security Task Manager
2007-02-08 02:33	1,006,205	---hs----	C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-08 01:31	3,968	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-08 01:30	<DIR>	d--------	C:\Program Files\Grisoft
2007-02-07 23:25	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-07 23:18	786,432	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-07 23:18	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-07 20:14	990,939	---hs----	C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09	974,781	---hs----	C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09	76,412	--a------	C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-06 18:55	22,686	---h-----	C:\WINDOWS\SYSTEM32\wvuussr.dll
2007-02-05 16:26	417,792	--a------	C:\Program Files\Video.exe
2007-02-05 16:26	417,792	--a------	C:\Program Files\Track_03.exe
2007-02-05 16:26	393,216	--a------	C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26	393,216	--a------	C:\Program Files\Setup.exe
2007-02-05 16:26	3,464	--a------	C:\WINDOWS\SYSTEM32\dr.exe
2007-02-05 16:26	147,456	--a------	C:\WINDOWS\SYSTEM32\vbzip10.dll


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-09 19:08	24742	--a------	C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-09 15:42	--------	d--------	C:\Program Files\apoint
2007-02-08 13:10	--------	d--------	C:\Program Files\Common Files\adobe
2007-02-08 13:08	--------	d--------	C:\Program Files\microsoft works
2007-02-08 11:06	25214	--a------	C:\Program Files\b.ico
2007-02-08 11:06	25214	--a------	C:\Program Files\a.ico
2007-02-08 11:06	218606	--a------	C:\Program Files\c.zip
2007-02-08 11:06	217706	--a------	C:\Program Files\b.zip
2007-02-08 11:06	201627	--a------	C:\Program Files\a.zip
2007-01-02 19:19	1880	--a------	C:\WINDOWS\autolnch.reg
2006-12-13 18:03	--------	d--------	C:\Program Files\Common Files\symantec shared
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"nwiz"="nwiz.exe /installquiet"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
	

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6AAC65E6-4DE2-4766-9352-2960C2BC6F54}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuussr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ   	Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ   	DnsCache\0\0
rpcss	REG_MULTI_SZ   	RpcSs\0\0
imgsvc	REG_MULTI_SZ   	StiSvc\0\0
termsvcs	REG_MULTI_SZ   	TermService\0\0
HTTPFilter	REG_MULTI_SZ   	HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ   	DcomLaunch\0TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070209-153851-808 
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fgwgrewt.dll",setvm
backup-20070209-102249-104 
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102249-431 
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070209-102203-332 
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102202-706 
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll (file missing)
backup-20070209-102202-133 
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070208-232315-355 
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uoeoeloc.dll",setvm
backup-20070208-144709-400 
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-439 
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-974 
O20 - Winlogon Notify: rqrst - C:\WINDOWS\system32\rqrst.dll
backup-20070208-140056-884 
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070208-115122-325 
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
backup-20070208-114326-334 
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
backup-20070208-114326-305 
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20070208-113639-276 
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
backup-20070208-105254-635 
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\xspflmnq.dll",setvm
backup-20070208-104504-898 
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070208-102341-557 
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\iwinmkqa.dll",setvm
backup-20070208-102202-207 
backup-20070208-102127-870 
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20070208-102044-544 
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20070208-101938-871 
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20070208-101938-793 
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20070208-101938-772 
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20070208-101938-729 
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20070208-101938-818 
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20070208-101938-342 
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
backup-20070208-101938-468 
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070208-101938-810 
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
backup-20070208-101938-806 
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
backup-20070208-101938-475 
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20070208-101938-543 
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
backup-20070208-101938-721 
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
backup-20070208-101647-376 
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070208-101647-404 
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
backup-20070208-101647-981 
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
backup-20070208-101647-536 
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL (file missing)
backup-20070207-232429-731 
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQ
0

And please don't butt out... I'm an old OS internals guy and one thing I learned early on is that no one person has every gem at his fingertips. The more people I ping the smarter I get. I've resisted delving into NT/XP internals, but I probably won't let this go until I understand how a file can be kept from being deleted during boot cycle. (Btw, while I may be Reds fan, I have still enjoyed watching the Phillies play at old Crawsley Field, Riverfront, Wrigley, St. Louis, San Diego, Dodger Stadium, and Candlestick.)

I've seen plenty of Reds games in my time - was fortunate enough to see the Big Red Machine in the mid-70s.

I have listened to Marty and Joe since Marty signed on about '74ish..... Sad to see the way they kinda forced old Joe out.


-- Anyhoo, I really don't want to hijack Crunchie's action here. Too many cooks spoil the broth, and all that....

The combofix log shows a number of baddies including, as I suspected, VUNDO. I'm not sure if Atribune's removal tool will get this one - manual removal may be in order - but I would suggest doing the following first:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt

-- Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot. . . .


**
As I mentioned, there are some other items in the Combofix log that Crunchie will probably want you to have a go at....


Best Luck :)
PP

BTW: I am always happy to talk Baseball. Feel free to look me up at my home Forum ---> Iamnotageek.com

0

No problem with butting in PhilliePhan :). Feel free. For some reason, that combofix log looks like crap. Can you read that ok?

==

burnsy.

Download the tool below:

http://noahdfear.geekstogo.com/FindAWF.exe

Save the file to your desktop and double click it to start it.

It will scan files on your C: drive and then when finished it will produce a log called awf.txt. Please post that log in your next reply.

0

No problem with butting in PhilliePhan :). Feel free. For some reason, that combofix log looks like crap. Can you read that ok?

I think it is a formatting issue with the default text editor. When I choose to "reply with quote" (or perhaps even just reply and scroll down), logs are formatted properly in the quotebox and elsewhere in the thread and I just copy them to notepad and look at them that way.....

--- I did not see any of the files typically replaced by AWF but here is the top part of the combofix log. Besides the Vundo, there are a few oddities that bear further scrutiny:

"John" - 07-02-09 19:12:42 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 15:33 990,157 ---hs---- C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33 118,804 --a------ C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42 277,146 ---hs---- C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39 118,804 --a------ C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02 <DIR> d-------- C:\Program Files\Security Task Manager2
2007-02-08 12:01 <DIR> d-------- C:\Program Files\Security Task Manager
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-08 01:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-08 01:30 <DIR> d-------- C:\Program Files\Grisoft
2007-02-07 23:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-07 23:18 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-07 23:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-06 18:55 22,686 ---h----- C:\WINDOWS\SYSTEM32\wvuussr.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-05 16:26 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-09 15:42 -------- d-------- C:\Program Files\apoint
2007-02-08 13:10 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-08 13:08 -------- d-------- C:\Program Files\microsoft works
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg
2006-12-13 18:03 -------- d-------- C:\Program Files\Common Files\symantec shared


Cheers :)
PP

0

Thanks gentlemen. It was VUNDO.

I ran VundoFix.exe (log below) and it deleted the offending files (and others). On reboot, the files were gone, but Security Task Manager still registered the wvuussr.dll entry. STM removed lingering registry entries. Ad-aware found one additional bad registry entry, but AVG (ewido) ran clean. After another reboot HJT, STM, Ad-aware and AVG ran clean. Subsequently I ran AWF and it also ran clean.

Before I close the thread, I have two remaining questions: 1) what's up with formatting on that last post of mine... after I first posted it and reread it, it appeared normal - but today it showed the inserted tags???; 2) how is it that VundoFix could delete the file and HJT couldn't?

Thanks again everyone for all the help.


VundoFix V6.3.6
Checking Java version...
Scan started at 2:29:43 PM 2/10/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\system32\gdqjosko.dll
C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\system32\xxyvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\coleoeou.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\SYSTEM32\fgwgrewt.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\twergwgf.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\uoeoeloc.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyvv.dll
C:\WINDOWS\system32\xxyvv.dll Has been deleted!
Performing Repairs to the registry.
Done!

0

Hang in there for Crunchie to post back - Your combofix log showed a number of additional baddies not related to Vundo.

-- Vundo is tricky in that it has all sorts of backups and protections that reinstall it. Vundo has been around for a long time and there are many different versions/variations on it.
Unscrupulous affiliates use it to extort people into buying their crappy Anti-spy apps.
One popular one was WinFixer. Often, you'll hear of Vundo referred to as WinFixer because of this....


Anyhoo, as I mentioned, there are still a few baddies yet to be dealt with.
I am going to step out and let Crunchie continue here. Doesn't seem right to have two volunteers working one thread when so many more go unanswered.....


-- In addition, I do not see reference of these being removed:
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\tsrqr.bak1
+ a few others (I listed them below)

I have seen a ton of Vundo over the last few years and these follow the pattern (ini & bak extensions)
This is why I was not sure if Atribune's removal tool would get it all.

Anyhoo, I'm sure crunchie will get you sorted out!

Cheers :)
PP

Here - I'll list all the ones that jump out at me - Some are definitely Vundo or other Malware and a few are "iffy," meaning that I do not know what they are....

2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg

0

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\SYSTEM32\iifgf.dll
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\tsrqr.bak1
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\ikgxtudp.dll
Folders to delete:
C:\WINDOWS\Sm9obg
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

==

If you go through the files that PhilliePhan posted and upload the files that I did not list for removal to get scanned, you should be able to tell if those files are legit.

http://virusscan.jotti.org/ or to http://www.virustotal.com/en/virustotalf.html

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.