I've been fighting through a fairly nasty infection and I'm left with one resistant creature that resists the best efforts of the normally available tools. Probably most noteworthy is that a Google search on the culprit returns absolutely no results at all... when have you ever heard of that happening? On the off chance that this might be something new, I thought I'd better start a new thread.

At this point my system is pretty well cleaned up. I've run both HJT and Security Task Manager to whittle down running tasks, IE add-ons, and HJT log entries down to next to nothing. A full scan with Ad-aware has run clean and a run of AVG (ewido) gives 4 detected respawning objects: 3 cookies and 1 trojan (C:\System Volume Information\_restore{21D7D692-4662-421F-39B0-877BC3820711}\RP1417\A0100808.vbs). There is, however, clearly something very nasty remaining.

Two symptoms: 1) with my ethernet connection disabled, occasionally a window pops up asking me me if I want to work offline, and 2) Security Task Manager still shows an IE add-on that I can't eliminate.

There were two offending IE add-ons that were identified by STM: wvuussr.dll and rqrst.dll. Both of these are of the type that get loaded early in the bootup cycle and regenerate their registry entries, so they can't just be deleted in the normal ways. I entered Safe Mode, ran HJT and marked both files to be deleted on reboot. rqrst.dll went away, but wvuussr.dll remains. I've tried this with wvuussr two additional times and it just doesn't want to die. (Try Googling wvuussr.dll... nothing found!) At the end of this I'm appending the HJT log after a normal boot. I've also included three attachments: 1) hijackthisSafe.log is an HJT log after reboot in Safe Mode, 2) hijackthisStart is the HJT log given below from just after a normal boot, and 3) is a tidied-up version of the list of window processes exported from Security Task Manager.

If anyone can help with this, I'd be grateful. My last resort is to write an app that stomps on the filename in the filesystem entry. As you might guess, I'm reluctant to do this except as a LAST resort.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:05 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\packages\VerminTools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

SmitFraudFix v2.141
Scan done at 9:35:03.69, Fri 02/09/2007
Run from C:\packages\VerminTools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\svchosts.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\John\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Thanks. I did this after your initial post, with no improvement. It did remove a bad svchost file, but this is just a secondary symptom that seems to be correctable with the conventional tools. I'm pretty convinced all the respawnings point back to C:\Windows\SYSTEM32\wvuussr.dll ... and as yet, I still haven't found a way to remove it.

I do not want to get in Crunchie's way here, but try this:

1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. DoubleClick combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Please submit that for us.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall...


-- Rename HijackThis.exe to something else such as HJTscan.exe. Certain baddies such as VUNDOhide from HijackThis.exe. Your symptoms sound like VUNDO - though I doubt the BHO is VUNDO-related because it is showing in the log.
A Combofix log will tell a bit more... . .


And, you've got this piece of adware:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Probably partially cleaned by one of your antispy apps. I don't see a resident AV. . .. - that would probably have gotten it as well.
You might want to double-check this . . . And certainly delete C:\WINDOWS\Sm9obg

I will butt out now - hate to step on a moderator's toes! :cool:


Best Luck :)
PP

Very handy tool... thanks. I've posted the log below, but I've also added it as an attachment to make reading it easier.

I have a few comments to add: The BHO and Winlogon entries in the HJT log do not appear after every reboot; EVERY time after I clean everything out after a reboot, a companion SYSTEM32 dll file turns up in my Security Task Manager list - I can't make wvuussr.dll go away, but the others can be coerced - if I kill off rqrts.dll, go into safe mode and remove the file, then on the next reboot I get something that replaces rqrts.dll, but with a completely new name, like xxyvv.dll or gdqiosko.dll, etc.. - it seems like the name is generated at random (which would be pretty smart for a trojan trying to stay hidden); also I could not see the directory Sm9obg with Windows Explorer, but I could with Command Prompt (yes, I can see all of the other hidden and system files); and yes, I normally do have AVG running, but I had shut it down to get the bare minimum number of processes running.

And please don't butt out... I'm an old OS internals guy and one thing I learned early on is that no one person has every gem at his fingertips. The more people I ping the smarter I get. I've resisted delving into NT/XP internals, but I probably won't let this go until I understand how a file can be kept from being deleted during boot cycle. (Btw, while I may be Reds fan, I have still enjoyed watching the Phillies play at old Crawsley Field, Riverfront, Wrigley, St. Louis, San Diego, Dodger Stadium, and Candlestick.)

"John" - 07-02-09 19:12:42 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 15:33 990,157 ---hs---- C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33 118,804 --a------ C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42 277,146 ---hs---- C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39 118,804 --a------ C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02 <DIR> d-------- C:\Program Files\Security Task Manager2
2007-02-08 12:01 <DIR> d-------- C:\Program Files\Security Task Manager
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-08 01:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-08 01:30 <DIR> d-------- C:\Program Files\Grisoft
2007-02-07 23:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-07 23:18 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-07 23:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-06 18:55 22,686 ---h----- C:\WINDOWS\SYSTEM32\wvuussr.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-05 16:26 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-09 15:42 -------- d-------- C:\Program Files\apoint
2007-02-08 13:10 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-08 13:08 -------- d-------- C:\Program Files\microsoft works
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg
2006-12-13 18:03 -------- d-------- C:\Program Files\Common Files\symantec shared


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"nwiz"="nwiz.exe /installquiet"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6AAC65E6-4DE2-4766-9352-2960C2BC6F54}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuussr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070209-153851-808
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fgwgrewt.dll",setvm
backup-20070209-102249-104
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102249-431
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070209-102203-332
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070209-102202-706
O20 - Winlogon Notify: vtstt - C:\WINDOWS\system32\vtstt.dll (file missing)
backup-20070209-102202-133
O2 - BHO: (no name) - {6AAC65E6-4DE2-4766-9352-2960C2BC6F54} - C:\WINDOWS\system32\wvuussr.dll
backup-20070208-232315-355
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uoeoeloc.dll",setvm
backup-20070208-144709-400
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-439
O20 - Winlogon Notify: wvuussr - C:\WINDOWS\SYSTEM32\wvuussr.dll
backup-20070208-144643-974
O20 - Winlogon Notify: rqrst - C:\WINDOWS\system32\rqrst.dll
backup-20070208-140056-884
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070208-115122-325
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
backup-20070208-114326-334
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
backup-20070208-114326-305
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20070208-113639-276
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
backup-20070208-105254-635
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\xspflmnq.dll",setvm
backup-20070208-104504-898
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070208-102341-557
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\iwinmkqa.dll",setvm
backup-20070208-102202-207
backup-20070208-102127-870
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20070208-102044-544
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20070208-101938-871
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20070208-101938-793
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20070208-101938-772
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20070208-101938-729
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20070208-101938-818
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20070208-101938-342
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
backup-20070208-101938-468
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070208-101938-810
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
backup-20070208-101938-806
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
backup-20070208-101938-475
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20070208-101938-543
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
backup-20070208-101938-721
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
backup-20070208-101647-376
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070208-101647-404
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070208-101647-981
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
backup-20070208-101647-536
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL (file missing)
backup-20070207-232429-731
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-232429-813
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-230404-828
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
backup-20070207-230114-367
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-230114-197
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
backup-20070207-230006-866
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
backup-20070207-230006-656
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-225923-548
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
backup-20070207-225923-631
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
backup-20070207-224123-140
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
backup-20070207-223600-298
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-09 19:25:27

And please don't butt out... I'm an old OS internals guy and one thing I learned early on is that no one person has every gem at his fingertips. The more people I ping the smarter I get. I've resisted delving into NT/XP internals, but I probably won't let this go until I understand how a file can be kept from being deleted during boot cycle. (Btw, while I may be Reds fan, I have still enjoyed watching the Phillies play at old Crawsley Field, Riverfront, Wrigley, St. Louis, San Diego, Dodger Stadium, and Candlestick.)

I've seen plenty of Reds games in my time - was fortunate enough to see the Big Red Machine in the mid-70s.

I have listened to Marty and Joe since Marty signed on about '74ish..... Sad to see the way they kinda forced old Joe out.


-- Anyhoo, I really don't want to hijack Crunchie's action here. Too many cooks spoil the broth, and all that....

The combofix log shows a number of baddies including, as I suspected, VUNDO. I'm not sure if Atribune's removal tool will get this one - manual removal may be in order - but I would suggest doing the following first:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt

-- Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot. . . .


**
As I mentioned, there are some other items in the Combofix log that Crunchie will probably want you to have a go at....


Best Luck :)
PP

BTW: I am always happy to talk Baseball. Feel free to look me up at my home Forum ---> Iamnotageek.com

No problem with butting in PhilliePhan :). Feel free. For some reason, that combofix log looks like crap. Can you read that ok?

==

burnsy.

Download the tool below:

http://noahdfear.geekstogo.com/FindAWF.exe

Save the file to your desktop and double click it to start it.

It will scan files on your C: drive and then when finished it will produce a log called awf.txt. Please post that log in your next reply.

No problem with butting in PhilliePhan :). Feel free. For some reason, that combofix log looks like crap. Can you read that ok?

I think it is a formatting issue with the default text editor. When I choose to "reply with quote" (or perhaps even just reply and scroll down), logs are formatted properly in the quotebox and elsewhere in the thread and I just copy them to notepad and look at them that way.....

--- I did not see any of the files typically replaced by AWF but here is the top part of the combofix log. Besides the Vundo, there are a few oddities that bear further scrutiny:

"John" - 07-02-09 19:12:42 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\packages\VerminTools"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\DOCUME~1\NETWOR~1\Application Data\NetMon
C:\WINDOWS\Sm9obg
C:\Program Files\Common Files\{3C6AE~1
C:\Program Files\Common Files\{5C6AE~2
C:\Program Files\Common Files\{5C6AE~1
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\outlook

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-09 15:33 990,157 ---hs---- C:\WINDOWS\SYSTEM32\vvyxx.bak2
2007-02-09 15:33 118,804 --a------ C:\WINDOWS\SYSTEM32\fgwgrewt.dll
2007-02-09 14:42 277,146 ---hs---- C:\WINDOWS\SYSTEM32\xxyvv.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 22:39 118,804 --a------ C:\WINDOWS\SYSTEM32\uoeoeloc.dll
2007-02-08 12:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
2007-02-08 12:02 <DIR> d-------- C:\Program Files\Security Task Manager2
2007-02-08 12:01 <DIR> d-------- C:\Program Files\Security Task Manager
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-08 01:31 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-08 01:30 <DIR> d-------- C:\Program Files\Grisoft
2007-02-07 23:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-07 23:18 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-07 23:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-06 18:55 22,686 ---h----- C:\WINDOWS\SYSTEM32\wvuussr.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-05 16:26 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-09 15:42 -------- d-------- C:\Program Files\apoint
2007-02-08 13:10 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-08 13:08 -------- d-------- C:\Program Files\microsoft works
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg
2006-12-13 18:03 -------- d-------- C:\Program Files\Common Files\symantec shared


Cheers :)
PP

Thanks gentlemen. It was VUNDO.

I ran VundoFix.exe (log below) and it deleted the offending files (and others). On reboot, the files were gone, but Security Task Manager still registered the wvuussr.dll entry. STM removed lingering registry entries. Ad-aware found one additional bad registry entry, but AVG (ewido) ran clean. After another reboot HJT, STM, Ad-aware and AVG ran clean. Subsequently I ran AWF and it also ran clean.

Before I close the thread, I have two remaining questions: 1) what's up with formatting on that last post of mine... after I first posted it and reread it, it appeared normal - but today it showed the inserted tags???; 2) how is it that VundoFix could delete the file and HJT couldn't?

Thanks again everyone for all the help.


VundoFix V6.3.6
Checking Java version...
Scan started at 2:29:43 PM 2/10/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\system32\gdqjosko.dll
C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\system32\xxyvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\coleoeou.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\SYSTEM32\fgwgrewt.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\twergwgf.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\uoeoeloc.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyvv.dll
C:\WINDOWS\system32\xxyvv.dll Has been deleted!
Performing Repairs to the registry.
Done!

Hang in there for Crunchie to post back - Your combofix log showed a number of additional baddies not related to Vundo.

-- Vundo is tricky in that it has all sorts of backups and protections that reinstall it. Vundo has been around for a long time and there are many different versions/variations on it.
Unscrupulous affiliates use it to extort people into buying their crappy Anti-spy apps.
One popular one was WinFixer. Often, you'll hear of Vundo referred to as WinFixer because of this....


Anyhoo, as I mentioned, there are still a few baddies yet to be dealt with.
I am going to step out and let Crunchie continue here. Doesn't seem right to have two volunteers working one thread when so many more go unanswered.....


-- In addition, I do not see reference of these being removed:
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\tsrqr.bak1
+ a few others (I listed them below)

I have seen a ton of Vundo over the last few years and these follow the pattern (ini & bak extensions)
This is why I was not sure if Atribune's removal tool would get it all.

Anyhoo, I'm sure crunchie will get you sorted out!

Cheers :)
PP

Here - I'll list all the ones that jump out at me - Some are definitely Vundo or other Malware and a few are "iffy," meaning that I do not know what they are....

2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\ljhef.dll
2007-02-09 14:42 277,146 --------- C:\WINDOWS\SYSTEM32\iifgf.dll
2007-02-09 09:10 1,534 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-02-08 22:39 991,069 ---hs---- C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-08 22:39 76,412 --a------ C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
2007-02-08 02:33 1,006,205 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-07 20:14 990,939 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-06 19:09 974,781 ---hs---- C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-06 19:09 76,412 --a------ C:\WINDOWS\SYSTEM32\ikgxtudp.dll
2007-02-05 16:26 417,792 --a------ C:\Program Files\Video.exe
2007-02-05 16:26 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-05 16:26 393,216 --a------ C:\WINDOWS\SYSTEM32\hui.exe
2007-02-05 16:26 393,216 --a------ C:\Program Files\Setup.exe
2007-02-05 16:26 3,464 --a------ C:\WINDOWS\SYSTEM32\dr.exe
2007-02-09 19:08 24742 --a------ C:\WINDOWS\SYSTEM32\nvmodes.dat
2007-02-08 11:06 25214 --a------ C:\Program Files\b.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\a.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-01-02 19:19 1880 --a------ C:\WINDOWS\autolnch.reg

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\SYSTEM32\iifgf.dll
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\eqbcgmdu.dll
C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\tsrqr.bak1
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\ikgxtudp.dll
Folders to delete:
C:\WINDOWS\Sm9obg
C:\DOCUME~1\John\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

==

If you go through the files that PhilliePhan posted and upload the files that I did not list for removal to get scanned, you should be able to tell if those files are legit.

http://virusscan.jotti.org/ or to http://www.virustotal.com/en/virustotalf.html