Cannot delete registry and infected files

[Geraldg]

I've reviewed several of the posts on the forum. I've used the VundoFix program, the SUPERAntiSpyware program and of course the malwarebytes product.

I've run malwarebytes in both Safe and Normal modes. In Safe mode, I've run it at least 7 times now.

I've got the infected files/registry entries down to 9 in Safe mode. Here the latest log:

Malwarebytes' Anti-Malware 1.36

Database version: 1945

Windows 5.1.2600 Service Pack 3

5/24/2009 7:37:06 PM

mbam-log-2009-05-24 (19-37-06).txt

Scan type: Full Scan (C:\|)

Objects scanned: 217689

Time elapsed: 1 hour(s), 19 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

-----

No matter what I try, I cannot get these 3 files deleted nor the registry files removed.

The memory module file (zzyxuadt.dll ) does get removed

The result is that the iexplorer process will launch by itself (shortly after a reboot), but you will

NOT see the actual GUI browser window - just the process is running. I kill the process (using

Task Manager), but after a few minutes, it will start again. Eventually, I'll see an IE window

appear indicating I have a virus and then to download the Spydoctor antivirus program.

I saw the sysguard entry in my Startup list (I used msconfig to see it), but I've disabled

it from running. Then, I ran Malwarebytes, etc. I no longer see the sysguard in the

startup list.

So - any suggestions on how to remove these remaining 3 files?

[Geraldg]

Here's my output from HiJackThis (with the iexplorer process running) -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:47 PM, on 5/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80

O1 - Hosts: ::1 localhost

O1 - Hosts: 94.232.248.66 antivirprotection.com

O1 - Hosts: 94.232.248.66 www.antivirprotection.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {92981DEF-AB3F-4851-AD17-8C45EF7E59BE} - c:\windows\system32\gzctcln.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\something.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/11f239b5ee46e5...ip/RdxIE601.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: owvvixks - C:\WINDOWS\SYSTEM32\gzctcln.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O24 - Desktop Component 0: (no name) - http://www.shipofdreams.btinternet.co.uk/j...s6_1024x768.jpg

O24 - Desktop Component 1: (no name) - http://www.shipofdreams.btinternet.co.uk/j...as1_800x600.jpg

--

End of file - 10011 bytes

[nosirrah]

There are 2 problems I can see . The first is that using MBAM from safemode makes it weaker , not stronger and your definitions are more than 200 versions out of date . Please update , scan and remove from regular mode and then report back .

[nosirrah]

Use quick scan as well , vundo takes advantage of long scan times to reinstall new components .

[Geraldg]

OK - Thanks for your quick reply!

I dowloaded the updates. I just ran quick scan. Here are the results:

Malwarebytes' Anti-Malware 1.36

Database version: 2176

Windows 5.1.2600 Service Pack 3

5/24/2009 8:16:02 PM

mbam-log-2009-05-24 (20-16-02).txt

Scan type: Quick Scan

Objects scanned: 94079

Time elapsed: 14 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\gbazremn.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\oextoccj.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.

[nosirrah]

Looks like we hit a lot more that time . Please do another quick scan after reboot to see if we killed the core .

If we have you can do a full scan unassisted to get any stray traces , these will already be dead at this point .

[Geraldg]

Looks like we hit a lot more that time . Please do another quick scan after reboot to see if we killed the core .

If we have you can do a full scan unassisted to get any stray traces , these will already be dead at this point .

Well - not sure, I see most of the same after a reboot, and re-scale of malware.

Here's the results -

Malwarebytes' Anti-Malware 1.36

Database version: 2176

Windows 5.1.2600 Service Pack 3

5/24/2009 8:38:03 PM

mbam-log-2009-05-24 (20-38-03).txt

Scan type: Quick Scan

Objects scanned: 93988

Time elapsed: 13 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 9

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\drivers\gbazremn.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\oextoccj.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

[nosirrah]

C:\WINDOWS\system32\uacinit.dll

I believe that this component of a larger infection .

I will be back in a minute with more instructions .

[nosirrah]

Download , unzip and run RootRepeal :

http://rootrepeal.googlepages.com/RootRepeal.rar

Select the drivers tab and then scan . Click save report and save this report as drivers.txt to your desktop .

Select the file tab and then scan . Click save report and save this report as files.txt to your desktop .

Post both logs in your next post .

Do not do anything while the scans are taking place , it can compromise the scan results .

[Geraldg]

I believe that this component of a larger infection .

I will be back in a minute with more instructions .

Yep - I read about the perils of C:\WINDOWS\system32\uacinit.dll on another site.

But, after that last quick scan, and reboot, I do NOT see this file any longer

in the C:\WINDOWS\system32\ area!

However, these files are still in the system32 area:

c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.

[nosirrah]

In that case there might be a different issue . Let me get a second set of instructions for you .

[Geraldg]

Also - I noticed that as soon as I launched Windows Explorer (to check the files in the system32 area), iexplorer process started up. I've been killing that process via Task Manager as soon as I see it launch (because, as I mentioned in my

first post, I don't get the IE window appearing).

[Geraldg]

In that case there might be a different issue . Let me get a second set of instructions for you .

OK - do you still want me to run the RootRepeal utility after this malwarebytes scan finishes?

Or - should I wait your alternate instructions?

[Geraldg]

In that case there might be a different issue . Let me get a second set of instructions for you .

Hmmm - so, when malwarebytes was running, I looked in the system32 folder.

It just finished.

I --still-- don't see the uacinit.dllfile.

But - here's the latst log -

Malwarebytes' Anti-Malware 1.36

Database version: 2176

Windows 5.1.2600 Service Pack 3

5/24/2009 8:56:38 PM

mbam-log-2009-05-24 (20-56-38).txt

Scan type: Quick Scan

Objects scanned: 93977

Time elapsed: 13 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\drivers\gbazremn.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\oextoccj.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

[nosirrah]

For now lets try my other idea first .

Please download and run DDS scan :

http://download.bleepingcomputer.com/sUBs/dds.scr

After a short delay there will be two logs generated , we only need one for now .

Select the log called DDS.txt and save it to your desktop as DDS.txt .

Copy and paste the contents of this log into your next post .

As for the other rootkit scan , keep the instructions handy , we may need them if this does not give me the data I need .

[Geraldg]

For now lets try my other idea first .

Please download and run DDS scan :

http://download.bleepingcomputer.com/sUBs/dds.scr

After a short delay there will be two logs generated , we only need one for now .

Select the log called DDS.txt and save it to your desktop as DDS.txt .

Copy and paste the contents of this log into your next post .

As for the other rootkit scan , keep the instructions handy , we may need them if this does not give me the data I need .

OK - strange - I can unZIP the RootRepeal file, but when I extract the executable to C:\Temp or

the desktop, the file will NOT appear. Scary!

Here's the 2 log files from the DDS scan

DDS (Ver_09-05-14.01) - NTFSx86

Run by Gerald at 21:03:19.59 on Sun 05/24/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.344 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Gerald\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = 0.0.0.0:80

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

BHO: : {92981def-ab3f-4851-ad17-8c45ef7e59be} - c:\windows\system32\gzctcln.dll

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

EB: Encarta &Researcher: {9455301c-cf6b-11d3-a266-00c04f689c50} - c:\program files\common files\microsoft shared\encarta researcher\EROPROJ.DLL

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb01.exe

mRun: [nwiz] nwiz.exe /install

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\something.exe" /runcleanupscript

dRunOnce: [RunNarrator] Narrator.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\encarta researcher\EROPROJ.DLL

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

Trusted Zone: musicmatch.com\online

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\encarta researcher\MSERO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: owvvixks - gzctcln.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gerald\applic~1\mozilla\firefox\profiles\n0qzbxub.default\

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 gbazremn;gbazremn;c:\windows\system32\drivers\gbazremn.sys [2001-10-22 23424]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-23 325896]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-23 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-23 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-23 298776]

R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]

R2 rxdejhum;Wireless-G PCI Adapter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-10-22 14336]

RUnknown izne;izne; [x]

S2 cjvgnzqkqq;cjvgnzqkqq;\??\c:\windows\system32\drivers\shxpk.sys --> c:\windows\system32\drivers\shxpk.sys [?]

S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2004-12-11 14095]

S3 lredbooo;lredbooo;c:\docume~1\gerald\locals~1\temp\lredbooo.sys [2001-8-8 15872]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-05-24 20:58 61,440 a------- c:\windows\system32\drivers\sbqlc.sys

2009-05-24 19:43 <DIR> --d----- c:\program files\Trend Micro

2009-05-24 17:35 <DIR> --d----- C:\VundoFix Backups

2009-05-24 15:02 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

2009-05-24 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-05-24 14:58 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-05-24 14:58 <DIR> --d----- c:\docume~1\gerald\applic~1\SUPERAntiSpyware.com

2009-05-24 14:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-05-24 13:22 <DIR> --d----- c:\docume~1\gerald\applic~1\Malwarebytes

2009-05-24 13:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-05-24 13:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-24 13:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-05-24 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-05-24 07:01 <DIR> --d----- c:\docume~1\gerald\applic~1\dwcdwzxf

2009-05-23 08:09 <DIR> --d----- c:\program files\WhatsRunning

2009-05-23 06:53 <DIR> --d----- c:\program files\QUAD Utilities

2009-05-23 06:48 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-05-23 06:39 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-05-23 06:39 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-05-23 06:39 325,896 a------- c:\windows\system32\drivers\avgldx86.sys

2009-05-23 06:38 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-05-23 06:38 <DIR> --d----- c:\docume~1\gerald\applic~1\AVGTOOLBAR

2009-05-23 06:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-05-23 06:27 0 a------- c:\windows\system32\commonpriv.log.lock

2009-05-23 06:26 <DIR> --d----- c:\program files\AVG

2009-05-22 17:08 <DIR> --d----- c:\program files\Symantec

2009-05-21 21:15 73,728 a------- c:\windows\system32\javacpl.cpl

2009-05-21 21:04 <DIR> --dsh--- c:\documents and settings\gerald\PrivacIE

2009-05-21 21:02 <DIR> --dsh--- c:\documents and settings\gerald\IETldCache

2009-05-21 20:54 78,336 a------- c:\windows\system32\ieencode.dll

2009-05-21 20:54 78,336 a------- c:\windows\system32\dllcache\ieencode.dll

2009-05-21 20:51 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll

2009-05-21 19:00 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-04-22 18:11 107,888 a------- c:\windows\system32\CmdLineExt.dll

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll

2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll

2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll

2000-12-05 17:39 453,120 ac------ c:\program files\FileBreaker.exe

1999-08-19 15:28 545,792 ac------ c:\program files\Treesize.exe

1998-08-24 13:09 10,000 ac------ c:\windows\inf\unregpn.exe

2004-12-14 17:35 61 -c-sh--- c:\windows\cnerolf.dat

2008-10-24 11:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102420081025\index.dat

============= FINISH: 21:04:35.07 ===============

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2nd Log File

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 12/11/2004 10:21:13 AM

System Uptime: 5/24/2009 8:40:09 PM (1 hours ago)

Motherboard: Compaq | | 077Ch

Processor: Intel® Pentium® 4 CPU 1.70GHz | XU1 | 1695/400mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 76 GiB total, 12.901 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Wireless-G PCI Adapter

Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00141737&REV_03\4&122329E2&0&50F0

Manufacturer: Linksys

Name: Wireless-G PCI Adapter

PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00141737&REV_03\4&122329E2&0&50F0

Service: BCM43XX

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: Logitech-compatible Mouse PS/2

Device ID: ACPI\PNP0F13\4&163C0F35&0

Manufacturer: Logitech

Name: Logitech-compatible Mouse PS/2

PNP Device ID: ACPI\PNP0F13\4&163C0F35&0

Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 9 ActiveX

Adobe Flash Player ActiveX

Adobe Reader 7.0

Agatha Christie - Murder on the Orient Express

AOL Toolbar 5.0

AOL Uninstaller (Choose which Products to Remove)

Apple Mobile Device Support

Apple Software Update

AVG Free 8.5

ClueFinders® 5th Grade Adventures

ClueFinders

[nosirrah]

There are a few odd things in you log and I need to ask about them before we start killing things .

2000-12-05 17:39 453,120 ac------ c:\program files\FileBreaker.exe

1999-08-19 15:28 545,792 ac------ c:\program files\Treesize.exe

I cant find info on these files located at this location , did you place them here yourself ?

S3 lredbooo;lredbooo;c:\docume~1\gerald\locals~1\temp\lredbooo.sys [2001-8-8 15872]

S2 cjvgnzqkqq;cjvgnzqkqq;\??\c:\windows\system32\drivers\shxpk.sys --> c:\windows\system32\drivers\shxpk.sys [?]

2009-05-24 20:58 61,440 a------- c:\windows\system32\drivers\sbqlc.sys

Do you game , have daemon tools installed ?

R2 rxdejhum;Wireless-G PCI Adapter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-10-22 14336]

Do you know what this is ? Services have two names , shown and what is actually in the registry . rxdejhum is random and I cant picture anything legit using it .

[Geraldg]

There are a few odd things in you log and I need to ask about them before we start killing things .

2000-12-05 17:39 453,120 ac------ c:\program files\FileBreaker.exe

1999-08-19 15:28 545,792 ac------ c:\program files\Treesize.exe

I cant find info on these files located at this location , did you place them here yourself ?

Yes - they are basic programs that I loaded (free from the Web). I've used them on

several PCs (for more than 5 years or so) with no issues.

S3 lredbooo;lredbooo;c:\docume~1\gerald\locals~1\temp\lredbooo.sys [2001-8-8 15872]

S2 cjvgnzqkqq;cjvgnzqkqq;\??\c:\windows\system32\drivers\shxpk.sys --> c:\windows\system32\drivers\shxpk.sys [?]

2009-05-24 20:58 61,440 a------- c:\windows\system32\drivers\sbqlc.sys

Do you game , have daemon tools installed ?

As you probably saw in the DDS files, there are several games installed on this PC. Is there something

I should check?

R2 rxdejhum;Wireless-G PCI Adapter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-10-22 14336]

Do you know what this is ? Services have two names , shown and what is actually in the registry . rxdejhum is random and I cant picture anything legit using it .

I have a wireless PCI card installed (to connect to the internet). However, I've disabled

this from the Network settings, since I have recently (last 4 weeks) am using a powerline

box from Linksys for my network connection.

Anything else you need me to check?

[Geraldg]

There are a few odd things in you log and I need to ask about them before we start killing things .

2000-12-05 17:39 453,120 ac------ c:\program files\FileBreaker.exe

1999-08-19 15:28 545,792 ac------ c:\program files\Treesize.exe

I cant find info on these files located at this location , did you place them here yourself ?

S3 lredbooo;lredbooo;c:\docume~1\gerald\locals~1\temp\lredbooo.sys [2001-8-8 15872]

S2 cjvgnzqkqq;cjvgnzqkqq;\??\c:\windows\system32\drivers\shxpk.sys --> c:\windows\system32\drivers\shxpk.sys [?]

2009-05-24 20:58 61,440 a------- c:\windows\system32\drivers\sbqlc.sys

Do you game , have daemon tools installed ?

R2 rxdejhum;Wireless-G PCI Adapter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-10-22 14336]

Do you know what this is ? Services have two names , shown and what is actually in the registry . rxdejhum is random and I cant picture anything legit using it .

Yes - they are basic programs that I loaded (free from the Web). I've used them on

several PCs (for more than 5 years or so) with no issues.

As you probably saw in the DDS files, there are several games installed on this PC. Is there something

I should check?

I have a wireless PCI card installed (to connect to the internet). However, I've disabled

this from the Network settings, since I have recently (last 4 weeks) am using a powerline

box from Linksys for my network connection.

Anything else you need me to check?

[nosirrah]

Yes , there were several other questions I asked , all are critical .

[nosirrah]

I think we cross posted , I see the other answers were added .

I do need to know if you have daemon tools , some of the drivers look that way .

[Geraldg]

I think we cross posted , I see the other answers were added .

I do need to know if you have daemon tools , some of the drivers look that way .

I'm sorry, I don't know what to check for daemon tools? What should I look for?

[nosirrah]

Its an intentional tool , it would not be there otherwise .

That service that looks like networking is not , the random service name gives that away .

I will be back in a minute with more instructions .

[Geraldg]

Its an intentional tool , it would not be there otherwise .

That service that looks like networking is not , the random service name gives that away .

I will be back in a minute with more instructions .

Which service is that? There's a game installed - Company of Hero's - that uses a direct

port connection to download updates. Not sure if that's what you're thinking about.

[nosirrah]

Attached to this post will be a zip that when opened you will have 2 files , avenger.exe and script.txt .

Run avenger (click OK) .

Open script , select edit , select all , edit , copy .

Click on avenger , right click within the white space and select paste .

Check the box for "Automatically disable any rootkits found" and then click execute .

You will be asked Are you sure you want to execute the current script ? Click Yes .

You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now ? Click Yes .

Your system will reboot and then reboot a second time on its own , this is normal .

After the second reboot you should see a log , please post this .

Also run an additional MBAM scan now and post the results .

avenger.zip

avenger.zip