Malware Help Please

[ramentler]

Hello,

I am having major trouble with a Dell Latitude Notebook running Windows XP Home edition. It has been infected with malware with some specific ones that I have observed popping up being Vista Antivirus 2008 and Malware Doctor. These issues have prevented me from running any virus scans and downloading and installing new antivirus, anti-malware, and anti-spyware programs. I attempted to follow your pre-support steps to prepare my computer for support. I have backed up the My Documents folder in Windows and I ran DDS, but the virus prevented me from running GMER. Also, I cannot access your website so I saved the logs I was able to get to a flash drive in order to post them. My dds report would not fit into the message because it made the thread way too so I had to attach it instead I hope you can help, I appreciate it.

[tetonbob]

Hello -

It's no wonder you could not post the DDS log. There are over 7000 malware lines in the log.

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we attempt clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Were it me, I would format and start over.

Let me know.

I see you tried to run ComboFix. What happened when you did so? Did it produce a log, or give you an error message? If an error message, what did it say?


A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

[ramentler]

Hello,

Thanks for your response. When I tried to do the ComboFix scan, the computer sat for about an hour with no results so I quit the scan. I could try it again if you would like.

Thanks again,

Rocco

[tetonbob]

Hi -

Ok, thanks for the info.

As already mentioned, the best course of action for this machine would be to format and start over. If it were mine, that's what I'd do. If that's not really an option, we can try to clean it, but I'm uncertain as to the outcome.

Please do nothing, other than what I ask.

First, I require more information

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\windows\system32\reader_s.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.
  
• Please repeat for the following files:
  
  • 
    C:\WINDOWS\Explorer.EXE
    

[ramentler]

Hi,

I am not able to access IE on the infected computer do to an error message:

Runtime Error 216 at 02AA39CE

I am assuming this is due to one of the infections. As far as formatting and starting from scratch, I am working on the computer for a friend of mine and I am not 100% sure that this is an option. If that is the route that I go, I have never done it before, but what do I need in order to do it?

[tetonbob]

You would need either a set of Recovery Disks from Dell (not just drivers disk, but an OS reinstall disk), or a Operating System Reinstallation CD, or an onboard recovery partition (looking at the attach.txt, this is not apparent), or a retail Windows XP installation CD with it's key.

http://support.dell.com/support/topi...8&docid=339949

http://www.windowsreinstall.com/winx...tallguides.htm


I would be careful about using USB to transfer data back and forth, since I'm suspecting a file infector virus. It may well transfer to another machine via USB. There's no proof of that yet, which is one reason I was trying to scan a couple files.

Let's try to run gmer again.


Let's see if we can get a GMER log.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" next to gmer.exe
It should look like this:
Double click on run.bat & allow it to run

Then, use these settings to produce a log.

• If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan:
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Also....

Can the infected machine boot into Safe Mode?

[ramentler]

Hi,

Yes the infected machine can boot into safe mode. I have booted into safe mode before to try to do a Malwarebytes scan, but had no luck with that. I was able to do the Gmer scan and the results are attached.

Thanks again,

Rocco

[tetonbob]

Yuck....this machine is a mess.

Delete any existing version of ComboFix you have. Does the machine have internet access? Even if the browser doesn't function well, can you open cmd.exe (Start > Run > type cmd and press Enter) and ping google.com, for example? At the command prompt, type

ping www.google.com

Press Enter

what are the results?

[ramentler]

The infected machine does have internet access and I am able to ping websites such as google.com on an average of 56ms.

I am waiting to hear back from my friend to see if he has the proper software to go forth with formatting.

[tetonbob]

OK....if you like, we can try to clean some of the mess. Even if you decide to format, it may make any data salvage operation, prior to a format, easier.

As mentioned, please delete any existing version of Combofix you might have, and then use the following procedures....


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download Combofix from any of the links below. You must rename it before saving it. Even though the image says Combo-Fix, please save it as comfxx.exe
   
   Save it to your desktop.
   
   Link 1
   Link 2
   Link 3
   
   
   
   
   
   
   --------------------------------------------------------------------
   
   
   
   * IMPORTANT !!! Place comfxx.exe on your Desktop
   
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   
3. Go to -> Run -> paste in the following single line command & click OK
   
   

   "%userprofile%\desktop\comfxx.exe" /killall

   
   
   
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[ramentler]

Hey,

I was not able to install the recovery console through ComboFix, but I ran it anyway and the log is attached.

The background on the desktop is now back, malware doctor no longer pops up, and the screensaver no longer has bugs eating away at the screen so we must be getting somewhere.

I spoke with my buddy and he did not have the recovery disks for the system, all he had was the OS re-installation CD. He told me that he will continue looking for them.

Thanks again,

Rocco


ComboFix 09-06-07.07 - Customer 06/08/2009 15:23.1 - NTFSx86
Running from: c:\documents and settings\Customer\desktop\comfxx.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\buvppwg.exe
c:\docume~1\Customer\LOCALS~1\Temp\lsass.exe
c:\docume~1\Customer\LOCALS~1\Temp\services.exe
c:\docume~1\Customer\LOCALS~1\Temp\svchost.exe
c:\docume~1\Customer\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Customer\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\Customer\Application Data\AXPFixer
c:\documents and settings\Customer\Application Data\Seekmo
c:\documents and settings\Customer\Application Data\Seekmo\v3.0\Seekmo\dynamic\1.sdf

<snip>

c:\documents and settings\Customer\Application Data\Seekmo\v3.0\Seekmo\static\DownLoad\tsd_bg.xip
c:\documents and settings\Customer\Application Data\unobi.dll
c:\documents and settings\Customer\reader_s.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
C:\fbnp.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\VAV
c:\program files\VAV\vav.cpl
c:\program files\VAV\vav0.dat
c:\program files\VAV\vav1.dat
c:\windows\ld08.exe
c:\windows\reged.exe
c:\windows\sonce122715.dat
c:\windows\sonce122739.dat
c:\windows\spoolsystem.exe
c:\windows\st_1244048761.exe
c:\windows\st_1244065911.exe
c:\windows\st_1244067196.exe
c:\windows\st_1244099648.exe
c:\windows\st_1244118565.exe
c:\windows\st_1244421221.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\__c0081B2.dat
c:\windows\system32\__c00B1E53.dat
c:\windows\system32\aaamymdl.dll
c:\windows\system32\abhxvbdd.dll
c:\windows\system32\abiypwei.dll
c:\windows\system32\acxyyuyd.dll
c:\windows\system32\aeefjmdb.dll
c:\windows\system32\afqfnd.dll
c:\windows\system32\afvxykqp.dll
c:\windows\system32\agniajaj.dll
c:\windows\system32\aivkgnic.dll
c:\windows\system32\ajwvjq.dll
c:\windows\system32\ajxvinoc.dll
c:\windows\system32\albbsnix.dll
c:\windows\system32\amsmbp.dll
c:\windows\system32\anrqfa.dll
c:\windows\system32\apcfnl.dll
c:\windows\system32\apqtaujx.dll
c:\windows\system32\aqcaiaey.ini
c:\windows\system32\aqkvbg.dll
c:\windows\system32\araavv.dll
c:\windows\system32\asgggfkj.ini
c:\windows\system32\ati3d2a.dll
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avyobs.dll
c:\windows\system32\awgqch.dll
c:\windows\system32\beeagciu.dll
c:\windows\system32\bejbri.dll
c:\windows\system32\bhlqrhji.ini
c:\windows\system32\bicvmlvd.dll
c:\windows\system32\bkyalt.dll
c:\windows\system32\blackster.scr
c:\windows\system32\bpeiqfpm.dll
c:\windows\system32\bpormbhj.dll
c:\windows\system32\bquqfchw.dll
c:\windows\system32\brfseqyr.dll
c:\windows\system32\btjqxq.dll
c:\windows\system32\butdwz.dll
c:\windows\system32\bvxtmvbg.ini
c:\windows\system32\b***qype.dll
c:\windows\system32\bwxyyebc.ini
c:\windows\system32\byxrhyiw.dll
c:\windows\system32\cbeyyxwb.dll
c:\windows\system32\cbnviw.dll
c:\windows\system32\ccddrnmi.ini
c:\windows\system32\ccfbuw.dll
c:\windows\system32\cfxgykek.dll
c:\windows\system32\cgmurz.dll
c:\windows\system32\cihcefls.ini
c:\windows\system32\cingkvia.ini
c:\windows\system32\cmechtgt.ini
c:\windows\system32\creozw.dll
c:\windows\system32\csqhhnlo.ini
c:\windows\system32\csuooqxk.ini
c:\windows\system32\ctcwqdkc.dll
c:\windows\system32\ctfmona.exe
c:\windows\system32\cywphxwx.dll
c:\windows\system32\daxdvdqe.ini
c:\windows\system32\dazztx.dll
c:\windows\system32\dbmnqqae.dll
c:\windows\system32\dcqviblh.ini
c:\windows\system32\ddrrfdur.ini
c:\windows\system32\dedpsv.dll
c:\windows\system32\djgept.dll
c:\windows\system32\djvwdp.dll
c:\windows\system32\dlbjoaxk.dll
c:\windows\system32\dlmamubh.ini
c:\windows\system32\dofftimw.dll
c:\windows\system32\dpeqichp.dll
c:\windows\system32\dplggr.dll
c:\windows\system32\dqpkig.dll
c:\windows\system32\drivers\fmexwghg.sys
c:\windows\system32\Drivers\pwE86.sys
c:\windows\system32\drivers\qxbyzkcf.sys
c:\windows\system32\drivers\TDSSmxst.sys
c:\windows\system32\dvhgxfrt.ini
c:\windows\system32\dvxpaflp.dll
c:\windows\system32\ebcdxkik.ini
c:\windows\system32\ebigspcr.ini
c:\windows\system32\edvjkjki.exe
c:\windows\system32\efgoeckb.ini
c:\windows\system32\egqppket.dll
c:\windows\system32\ekrudxvo.dll
c:\windows\system32\elealcbt.ini
c:\windows\system32\eljblw.dll
c:\windows\system32\emvymkhw.dll
c:\windows\system32\emxkap.dll
c:\windows\system32\eqddofwr.dll
c:\windows\system32\eqomxach.dll
c:\windows\system32\eqwxwp.dll
c:\windows\system32\eshjow.dll
c:\windows\system32\esjuqsjb.dll
c:\windows\system32\eunbhmoq.ini
c:\windows\system32\exfjbyjm.ini
c:\windows\system32\exnmodbe.dll
c:\windows\system32\eyxkbqon.dll
c:\windows\system32\ezrcju.dll
c:\windows\system32\fdnucjbc.ini
c:\windows\system32\feudnjih.ini
c:\windows\system32\fgucpbvc.dll
c:\windows\system32\fikUwyay.ini
c:\windows\system32\fikUwyay.ini2
c:\windows\system32\fklame32.dll
c:\windows\system32\flbdwrqi.ini
c:\windows\system32\fliwbo.dll
c:\windows\system32\fmqeuoar.ini
c:\windows\system32\fpxcfkpw.dll
c:\windows\system32\fqsjluaq.ini
c:\windows\system32\ftfuaf.dll
c:\windows\system32\ftkrmr.dll
c:\windows\system32\fubrlqav.dll
c:\windows\system32\gauoghou.exe
c:\windows\system32\gbdxws.dll
c:\windows\system32\gbojoblm.dll
c:\windows\system32\gcubeeau.ini
c:\windows\system32\gcuwhpol.ini
c:\windows\system32\gdqyympd.dll
c:\windows\system32\gellgz.dll
c:\windows\system32\gijbas.dll
c:\windows\system32\gjbcckjj.ini
c:\windows\system32\gjubmorf.ini
c:\windows\system32\glargy.dll
c:\windows\system32\glssvfki.dll
c:\windows\system32\gmufmyod.ini
c:\windows\system32\gmvtuv.dll
c:\windows\system32\gnpjzf.dll
c:\windows\system32\gsmhskim.ini
c:\windows\system32\gtsaovkv.dll
c:\windows\system32\gxntif.dll
c:\windows\system32\gxuynyxj.dll
c:\windows\system32\gyewoi.dll
c:\windows\system32\gynnopey.dll
c:\windows\system32\hbbfakkm.ini
c:\windows\system32\hcpnzh.dll
c:\windows\system32\hcvueb.dll
c:\windows\system32\hduyod.dll
c:\windows\system32\hemgkfan.dll
c:\windows\system32\hgdokb.dll
c:\windows\system32\hgdpkcfw.ini
c:\windows\system32\hijnduef.dll
c:\windows\system32\hirnah.dll
c:\windows\system32\hjhxbcvh.ini
c:\windows\system32\hlpaxs.dll
c:\windows\system32\hmvrxjqv.dll
c:\windows\system32\hoggmaad.dll
c:\windows\system32\hqmipxhl.ini
c:\windows\system32\hrjlsq.dll
c:\windows\system32\hrysuc.dll
c:\windows\system32\hsef73uhef.dll
c:\windows\system32\hsekdo.dll
c:\windows\system32\hsfwoajg.dll
c:\windows\system32\hssbesfp.ini
c:\windows\system32\htcbwf.dll
c:\windows\system32\hxspsdxp.dll
c:\windows\system32\hyfgvrrg.dll
c:\windows\system32\iajekscs.ini
c:\windows\system32\iaxtribc.ini
c:\windows\system32\ibiuze.dll
c:\windows\system32\ibmnrapw.dll
c:\windows\system32\icfvrxwt.dll
c:\windows\system32\iewpyiba.ini
c:\windows\system32\iibsjpdd.dll
c:\windows\system32\iiuzhg.dll
c:\windows\system32\ikqadrrn.ini
c:\windows\system32\iktcoxun.ini
c:\windows\system32\ikxbcpsw.ini
c:\windows\system32\ilregicg.dll
c:\windows\system32\iltasjyv.ini
c:\windows\system32\ingtbm.dll
c:\windows\system32\inskbfow.dll
c:\windows\system32\inygcf.dll
c:\windows\system32\ipsvovuh.dll
c:\windows\system32\ipvvldua.ini
c:\windows\system32\isqqtalc.dll
c:\windows\system32\isxrjs.dll
c:\windows\system32\ituddsrl.dll
c:\windows\system32\iuqeqejv.dll
c:\windows\system32\iyothust.ini
c:\windows\system32\jajainga.ini
c:\windows\system32\jaywfplb.dll
c:\windows\system32\jbwbma.dll
c:\windows\system32\jcgfpx.dll
c:\windows\system32\jcnkvixt.ini
c:\windows\system32\jcskfnml.dll
c:\windows\system32\jflujpvx.dll
c:\windows\system32\jhacaqte.dll
c:\windows\system32\jhkuhu.dll
c:\windows\system32\jihihb.dll
c:\windows\system32\jiknalrs.dll
c:\windows\system32\jjacvp.dll
c:\windows\system32\jkrhrodq.dll
c:\windows\system32\jlfkosxc.dll
c:\windows\system32\jlxdljta.ini
c:\windows\system32\jotoxtqx.dll
c:\windows\system32\jpkhcwqw.ini
c:\windows\system32\jrjttxov.dll
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\jxnlvike.dll
c:\windows\system32\kewycqjw.dll
c:\windows\system32\kgiiqclw.ini
c:\windows\system32\khkvfduk.ini
c:\windows\system32\khwgttfn.ini
c:\windows\system32\kjvazq.dll
c:\windows\system32\ktysygnq.ini
c:\windows\system32\ktzxch.dll
c:\windows\system32\kubeoqhf.ini
c:\windows\system32\kudfvkhk.dll
c:\windows\system32\kuwljs.dll
c:\windows\system32\kvqddjmn.dll
c:\windows\system32\kwgxvmuq.ini
c:\windows\system32\kwrbydrg.ini
c:\windows\system32\kwvwtcoc.exe
c:\windows\system32\kycmisuu.ini
c:\windows\system32\lafchhes.ini
c:\windows\system32\lamooesw.ini
c:\windows\system32\leishfxr.ini
c:\windows\system32\leqmbqnv.dll
c:\windows\system32\lfpeytuo.dll
c:\windows\system32\lgdsnarl.ini
c:\windows\system32\lhfddh.dll
c:\windows\system32\lhuxlhjt.dll
c:\windows\system32\liqibxkp.dll
c:\windows\system32\llsyov.dll
c:\windows\system32\lmlgsbov.dll
c:\windows\system32\lmnfkscj.ini
c:\windows\system32\lncqemoy.dll
c:\windows\system32\lpeoaxfm.ini
c:\windows\system32\lqpwmpbq.dll
c:\windows\system32\lransdgl.dll
c:\windows\system32\ltayokau.dll
c:\windows\system32\lubcauvu.ini
c:\windows\system32\luqkde.dll
c:\windows\system32\luujskas.dll
c:\windows\system32\lvgspoka.ini
c:\windows\system32\lwvuwxhq.ini
c:\windows\system32\lyhgomhw.ini
c:\windows\system32\mamyklyr.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mfalcybd.ini
c:\windows\system32\mfbcsb.dll
c:\windows\system32\mfmaag.dll
c:\windows\system32\mgbhgctj.dll
c:\windows\system32\mhosvjcw.ini
c:\windows\system32\mjybjfxe.dll
c:\windows\system32\mknvfrwm.dll
c:\windows\system32\mkrjjyok.ini
c:\windows\system32\mlxtaehw.exe
c:\windows\system32\mngrhvsw.dll
c:\windows\system32\mpYxayxx.ini
c:\windows\system32\mpYxayxx.ini2
c:\windows\system32\mqaoeugw.ini
c:\windows\system32\mrmrikee.dll
c:\windows\system32\mrysmq.dll
c:\windows\system32\mssrv32.exe
c:\windows\system32\mvpvhmwb.dll
c:\windows\system32\mvsfxy.dll
c:\windows\system32\mwdffcgb.exe
c:\windows\system32\mwrfvnkm.ini
c:\windows\system32\mxecmmgk.dll
c:\windows\system32\mzkupl.dll
c:\windows\system32\mzrlux.dll
c:\windows\system32\ndlrkmsq.dll
c:\windows\system32\nfgfkpbm.dll
c:\windows\system32\nfjtddwb.ini
c:\windows\system32\ngjxrvah.ini
c:\windows\system32\nkarlviy.dll
c:\windows\system32\nlaoqtxk.ini
c:\windows\system32\nmseksdl.dll
c:\windows\system32\ntaljcfd.ini
c:\windows\system32\nupdyjge.dll
c:\windows\system32\nvoetesp.ini
c:\windows\system32\nwgkhi.dll
c:\windows\system32\nwlpwtkf.dll
c:\windows\system32\nyponatk.dll
c:\windows\system32\octedj.dll
c:\windows\system32\olvbuqaj.ini
c:\windows\system32\omdisc.dll
c:\windows\system32\omtkuxok.ini
c:\windows\system32\omyvwa.dll
c:\windows\system32\onjfxrgh.ini
c:\windows\system32\onlhnf.dll
c:\windows\system32\onubqqoc.ini
c:\windows\system32\onwmvalk.ini
c:\windows\system32\oolawmih.dll
c:\windows\system32\oolslojg.ini
c:\windows\system32\oqybgwxt.ini
c:\windows\system32\orndrx.dll
c:\windows\system32\orysmnhx.dll
c:\windows\system32\osdxyivu.exe
c:\windows\system32\otfchd.dll
c:\windows\system32\oukyoflq.dll
c:\windows\system32\ovbappbq.ini
c:\windows\system32\ovomyxhl.ini
c:\windows\system32\owiyacnl.dll
c:\windows\system32\owvrsetd.dll
c:\windows\system32\oxcnbnlg.dll
c:\windows\system32\oxdcewjk.dll
c:\windows\system32\oyavgmuf.exe
c:\windows\system32\pawkjj.dll
c:\windows\system32\pbfygcic.ini
c:\windows\system32\pcagoakv.ini
c:\windows\system32\peagwrnq.ini
c:\windows\system32\phvlgk.dll
c:\windows\system32\pkxbiqil.ini
c:\windows\system32\prbnnngo.ini
c:\windows\system32\pwppxi.dll
c:\windows\system32\pwvgsswx.dll
c:\windows\system32\pybderyh.ini
c:\windows\system32\pysukics.dll
c:\windows\system32\pzntok.dll
c:\windows\system32\qasgrhdg.dll
c:\windows\system32\qbueuajg.ini
c:\windows\system32\qfjqro.dll
c:\windows\system32\qgcbjhtb.ini
c:\windows\system32\qhhoofru.dll
c:\windows\system32\qjrqsvwt.dll
c:\windows\system32\qkeirxuj.dll
c:\windows\system32\qmlgycpi.ini
c:\windows\system32\qoputrsw.ini
c:\windows\system32\qpcndihl.dll
c:\windows\system32\qpuwryqf.ini
c:\windows\system32\qqonpmrh.ini
c:\windows\system32\qqrnze.dll
c:\windows\system32\qucbmd.dll
c:\windows\system32\qumvxgwk.dll
c:\windows\system32\qwqftufk.dll
c:\windows\system32\qyloamnn.ini
c:\windows\system32\qyywgp.dll
c:\windows\system32\ravgderb.ini
c:\windows\system32\rbcjru.dll
c:\windows\system32\rdgzpm.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\rgejqpky.dll
c:\windows\system32\riaxjrkk.ini
c:\windows\system32\rifvgaio.ini
c:\windows\system32\riqivt.dll
c:\windows\system32\rjbazn.dll
c:\windows\system32\rkkwro.dll
c:\windows\system32\rkmgtb.dll
c:\windows\system32\rlqospgt.ini
c:\windows\system32\robcxy.dll
c:\windows\system32\rpebmb.dll
c:\windows\system32\rqnohvpf.dll
c:\windows\system32\rvpqle.dll
c:\windows\system32\rxedtovt.dll
c:\windows\system32\ryslawvv.dll
c:\windows\system32\sayewbac.dll
c:\windows\system32\sedhpbwh.dll
c:\windows\system32\sft.res
c:\windows\system32\shbnsmej.ini
c:\windows\system32\siadtsaa.dll
c:\windows\system32\sloxcr.dll
c:\windows\system32\stbazx.dll
c:\windows\system32\svfrunjm.dll
c:\windows\system32\syjyypyw.dll
c:\windows\system32\syllrewg.dll
c:\windows\system32\SYSDLL.exe
c:\windows\system32\sysloc
c:\windows\system32\sysloc\sysloc.dll
c:\windows\system32\szgghn.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoexh.dll
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\tfqthvvw.ini
c:\windows\system32\thftuprf.ini
c:\windows\system32\thjftker.dll
c:\windows\system32\titkxu.dll
c:\windows\system32\tjhlxuhl.ini
c:\windows\system32\tjstnp.dll
c:\windows\system32\tlwglybh.dll
c:\windows\system32\tmhpgo.dll
c:\windows\system32\tpzynw.dll
c:\windows\system32\tvotdexr.ini
c:\windows\system32\twvsqrjq.ini
c:\windows\system32\tydioj.dll
c:\windows\system32\tzgwao.dll
c:\windows\system32\uakoyatl.ini
c:\windows\system32\ualhxrsl.dll
c:\windows\system32\ubulherf.ini
c:\windows\system32\uequtrrt.dll
c:\windows\system32\ufvsgsed.ini
c:\windows\system32\ujhpbctf.dll
c:\windows\system32\ujxhdfun.dll
c:\windows\system32\umccjj.dll
c:\windows\system32\umedhl.dll
c:\windows\system32\umemtdjb.dll
c:\windows\system32\umhusrlt.dll
c:\windows\system32\uqbpktoc.dll
c:\windows\system32\uqoxdcco.ini
c:\windows\system32\urqNHYSJ.dll
c:\windows\system32\uujvxo.dll
c:\windows\system32\uvxbpuxy.dll
c:\windows\system32\uxebsl.dll
c:\windows\system32\uxhtndwb.dll
c:\windows\system32\uyxbxqrk.dll
c:\windows\system32\vaqlrbuf.ini
c:\windows\system32\vav.cpl
c:\windows\system32\vchgochw.dll
c:\windows\system32\vdrcoawg.dll
c:\windows\system32\vdvtycsh.dll
c:\windows\system32\vflclx.dll
c:\windows\system32\vhlquoqh.dll
c:\windows\system32\vjjnnf.dll
c:\windows\system32\vjzykk.dll
c:\windows\system32\vkfdsuqh.dll
c:\windows\system32\vkxriadl.ini
c:\windows\system32\vkzsie.dll
c:\windows\system32\vmaaxswl.ini
c:\windows\system32\vmqmshwb.dll
c:\windows\system32\vnfaqn.dll
c:\windows\system32\vniqfxdr.dll
c:\windows\system32\vnlbsr.dll
c:\windows\system32\vnpdhtwd.dll
c:\windows\system32\vnqyhnut.ini
c:\windows\system32\voxttjrj.ini
c:\windows\system32\vqwtdjkx.ini
c:\windows\system32\vrltxedw.dll
c:\windows\system32\vrpqsiew.dll
c:\windows\system32\vtczdy.dll
c:\windows\system32\vtdlatps.dll
c:\windows\system32\vvwalsyr.ini
c:\windows\system32\vxqgbadw.ini
c:\windows\system32\vxsdteuo.ini
c:\windows\system32\vyjsatli.dll
c:\windows\system32\wcjvsohm.dll
c:\windows\system32\wdextlrv.ini
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\wiyhrxyb.ini
c:\windows\system32\wjqcywek.ini
c:\windows\system32\wlbilvsi.ini
c:\windows\system32\wlcmjiqa.ini
c:\windows\system32\wmsoua.dll
c:\windows\system32\wpejsq.dll
c:\windows\system32\wqfejrak.dll
c:\windows\system32\wqoqccqa.ini
c:\windows\system32\wvgqlkbo.dll
c:\windows\system32\wvkyjmna.dll
c:\windows\system32\wwdewget.ini
c:\windows\system32\wwdpwlmk.dll
c:\windows\system32\wwnbce.dll
c:\windows\system32\wxcbvilk.ini
c:\windows\system32\wzphab.dll
c:\windows\system32\wzxuqv.dll
c:\windows\system32\xbywom.dll
c:\windows\system32\xcwxuoon.ini
c:\windows\system32\xdxrlb.dll
c:\windows\system32\xgjiqcot.ini
c:\windows\system32\xiavvkaf.ini
c:\windows\system32\xlecwlrg.dll
c:\windows\system32\xlohtv.dll
c:\windows\system32\xoqaqrqi.ini
c:\windows\system32\xqhoobtg.ini
c:\windows\system32\xscdoiib.dll
c:\windows\system32\xsqocsna.ini
c:\windows\system32\xteguwug.dll
c:\windows\system32\xtlxthyi.dll
c:\windows\system32\xxyaxYpm.dll
c:\windows\system32\xyppdeon.ini
c:\windows\system32\yayunr.dll
c:\windows\system32\yaywUkif.dll
c:\windows\system32\yeaiacqa.dll
c:\windows\system32\yfoabjoj.ini
c:\windows\system32\ygocgxpi.dll
c:\windows\system32\yhafd78auhd.dll
c:\windows\system32\yivlrakn.ini
c:\windows\system32\yjlzmu.dll
c:\windows\system32\ykbuskwd.dll
c:\windows\system32\ylavym.dll
c:\windows\system32\yoxjnyfn.dll
c:\windows\system32\yqysfsib.dll
c:\windows\system32\ytegykeh.ini
c:\windows\system32\yudlbl.dll
c:\windows\system32\yuetolbf.dll
c:\windows\system32\yvfjnm.dll
c:\windows\system32\yvsftm.dll
c:\windows\system32\yvyjwuct.dll
c:\windows\system32\yyfxfpsh.dll
c:\windows\system32\zbtzev.dll
c:\windows\system32\zcqnft.dll
c:\windows\system32\zctdjb.dll
c:\windows\system32\zelofq.dll
c:\windows\system32\zlijzg.dll
c:\windows\system32\zvsoad.dll
c:\windows\system32\zzqbop.dll
c:\windows\vmreg.dll
c:\windows\winhelp.ini
C:\xcrashdump.dat
c:\windows\system32\drivers\b29cf5d8.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_avast!antivirus
-------\Legacy_FMEXWGHG
-------\Legacy_MSUPDATE
-------\Legacy_PWE86
-------\Service_avast!antivirus
-------\Service_b29cf5d8
-------\Service_fmexwghg
-------\Service_msupdate
-------\Service_pwE86


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 22:37 . 2009-06-08 22:37 372 --sha-w- c:\windows\system32\lRstDJlm.ini2
2009-06-08 22:36 . 2009-06-08 22:36 304128 ----a-w- c:\windows\system32\mlJDtsRl.dll
2009-06-05 02:49 . 2009-06-08 22:39 99422 ----a-w- c:\windows\system32\drivers\37ced551.sys
2009-06-04 01:18 . 2009-06-04 01:48 -------- d-s---w- C:\123
2009-06-03 17:20 . 2009-06-05 02:48 29184 ----a-w- c:\windows\system32\jbnmcd.dll
2009-06-03 17:04 . 2009-06-05 02:48 124416 ----a-w- c:\windows\system32\avast!AVSControlService.exe
2009-06-03 17:04 . 2009-06-08 20:18 29184 ----a-w- c:\windows\system32\jbnmck.dll
2009-06-03 01:05 . 2009-06-03 01:05 27648 ----a-w- C:\undlh.exe
2009-06-03 00:48 . 2009-06-08 22:39 112204 ----a-w- c:\windows\system32\drivers\b29cf5d8.sys
2009-06-03 00:48 . 2009-06-03 00:48 27648 ----a-w- C:\isjtcmum.exe
2009-06-02 18:51 . 2009-06-02 18:51 36352 ----a-w- c:\documents and settings\All Users\proto.dll
2009-06-01 18:42 . 2006-04-06 00:38 110592 ----a-w- c:\documents and settings\Customer\Application Data\U3\temp\cleanup.exe
2009-06-01 17:14 . 2009-06-01 17:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-01 01:16 . 2009-06-01 01:16 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 00:52 . 2009-06-04 03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\program files\AVG
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 22:39 . 2009-06-08 22:39 117760 ----a-w- c:\windows\system32\tljxbl.dll
2009-06-08 22:39 . 2009-06-08 22:39 117760 ----a-w- c:\windows\system32\yvucvwor.dll
2009-06-08 17:44 . 2008-11-27 23:36 2912 ----a-w- c:\windows\system32\TDSSriqp.dll
2009-06-04 15:58 . 2008-03-16 20:50 -------- d-----w- c:\program files\LimeWire
2009-06-04 04:56 . 2008-03-16 20:52 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire
2009-06-03 00:50 . 2004-08-04 10:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-01 18:34 . 2008-03-04 00:08 -------- d-----w- c:\documents and settings\Customer\Application Data\U3
2009-06-01 01:18 . 2008-03-16 19:52 -------- d-----w- c:\program files\Google
2009-06-01 00:38 . 2008-03-04 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00197914-1702-48f6-9a58-1849dc7293c5}]
2009-06-08 22:39 117760 ----a-w- c:\windows\system32\tljxbl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8ac21e-fec6-4b89-a86f-8c95c6d363e1}]
2009-06-08 22:36 304128 ----a-w- c:\windows\system32\mlJDtsRl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f26bedb-d89b-44a1-948b-5d523292dadf}]
2008-06-01 00:02 33408 ----a-w- c:\windows\system32\awtrRLFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
2009-06-08 20:18 29184 ----a-w- c:\windows\system32\jbnmck.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]
"DiskChk help"="c:\documents and settings\All Users\proto.dll" [2009-06-02 36352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Shortcut Bar.lnk - c:\msoffice\Office\MSOFFICE.EXE [1996-3-20 365056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F26BEDB-D89B-44A1-948B-5D523292DADF}"= "c:\windows\system32\awtrRLFW.dll" [2008-06-01 33408]
"{fe319530-1e2d-424a-ac3d-c242bf8d8b2d}"= "c:\windows\system32\tljxbl.dll" [2009-06-08 117760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrRLFW]
2008-06-01 00:02 33408 ----a-w- c:\windows\system32\awtrRLFW.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\mlJDtsRl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

S1 9800d3ba;9800d3ba;c:\windows\system32\drivers\9800d3ba.sys [11/27/2008 4:48 PM 0]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FMEXWGHG
*Deregistered* - fmexwghg
.
- - - - ORPHANS REMOVED - - - -

<snip>

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 17:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\lRstDJlm.ini 372 bytes
c:\windows\system32\lRstDJlm.ini2 372 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\37ced551]
"ImagePath"="\SystemRoot\System32\drivers\37ced551.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\b29cf5d8]
"ImagePath"="\SystemRoot\System32\drivers\b29cf5d8.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Parameters]
@DACL=(02 0000)
"ServiceDll"=expand:"c:\\WINDOWS\\system32\\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Security]
@DACL=(02 0000)
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\awtrRLFW.dll

- - - - - - - > 'explorer.exe'(5288)
c:\windows\system32\mlJDtsRl.dll
c:\windows\system32\tljxbl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\avast!AVSControlService.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-08 17:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-08 22:48

Pre-Run: 152,266,080,256 bytes free
Post-Run: 152,275,759,104 bytes free

1744 --- E O F --- 2008-05-28 02:21

[tetonbob]

Hi -

That went better than expected. Let's continue moving forward, and see how it goes.

About this:

Quote:

I was not able to install the recovery console through ComboFix

What happened? Was there an error message, or difficulty with the internet connection?

We have more work to do, and there are other ways to install the recovery console. While we've made good progress, there's still more work to do, and I'd feel better having it installed. Also, Combofix will not perform some of it's repairs without the Recovery Console installed.


About this:

Quote:

all he had was the OS re-installation CD

That gets him a fresh OS, right? We can still continue to clean and see how things progress.

It's best to hit this hard and fast now....we may get it back into order after all.

[ramentler]

When I got the message that the recovery console was not installed on the PC, I clicked on Yes to download. I was connected through a wireless connection, but a message appeared saying something about:

An internet connect in order to download recovery console, connect to the internet before you click ok.

I made sure the internet connection was connected and clicked ok. Then it said:

Could not download recovery console.

So there was some sort of error preventing me from downloading it. As for the discs I received from my friend, he gave me the disc to give him a fresh OS and the Drivers and Utilities Disc which isn't necessary at this point.

The error messages that I received are close to what I remember, but they are not word for word. I hope they help you.

Thanks,

Rocco

[tetonbob]

OK....since having Recovery Console installed is critical to fixing some of the infection, let's have you use the manual install method.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------


Please do this:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




For this machine, it's this file:

http://www.microsoft.com/downloads/d...displaylang=en


Download the file & save it as it's originally named, next to ComboFix.exe.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
  
  
• Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it as indicated in the above image. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.
  
  As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
  
  The Recovery Console was successfully installed.
  
  
  
  Click on No.
  
  When complete, a log named CF_RC.txt will open. Please post the contents of that log in your next reply, after these next instructions:
  
  ---------------------------------------------------------------------------------------------
  
  
• Open notepad and copy/paste the text in the quotebox below into it:
  
  
  Code:

  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382550-malware-help-please.html#post2179962
  
  File::
  c:\windows\system32\lRstDJlm.ini2
  c:\windows\system32\lRstDJlm.ini
  Driver::
  9800d3ba
  37ced551
  DDS::
  uInternet Settings,ProxyServer = http=localhost:7171
  uInternet Settings,ProxyOverride = *.local;<local>
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "UpdatesDisableNotify"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
  "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  Collect::
  c:\windows\system32\awtrRLFW.dll
  c:\windows\system32\mlJDtsRl.dll
  c:\windows\system32\drivers\37ced551.sys
  c:\windows\system32\drivers\9800d3ba.sys
  c:\windows\system32\drivers\b29cf5d8.sys
  c:\windows\system32\jbnmcd.dll
  c:\windows\system32\avast!AVSControlService.exe
  c:\windows\system32\jbnmck.dll
  C:\undlh.exe
  C:\isjtcmum.exe
  c:\documents and settings\All Users\proto.dll
  c:\windows\system32\tljxbl.dll
  c:\windows\system32\yvucvwor.dll
  c:\windows\system32\TDSSriqp.dll
  Reglock::
  [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS]
  Comment::
  End Copy Here

  Save this as CFScript.txt
  
  
  
  
  Referring to the picture above, drag CFScript.txt into ComboFix.exe
  
  
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
  
  Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  
  
  ---------------------------------------------------------------------------------------------

Please return with logs from:

C:\CF_RC.txt
ComboFix (C:\ComboFix.txt if it's been closed)

[ramentler]

Ok,

here are the logs you asked for. Everything ran very smoothly and ComboFix ran a lot quicker than the previous time it scanned.

ComboFix 09-06-07.07 - Customer 06/09/2009 23:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.789 [GMT -5:00]
Running from: c:\documents and settings\Customer\Desktop\comfxx.exe
Command switches used :: c:\documents and settings\Customer\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\lRstDJlm.ini"
"c:\windows\system32\lRstDJlm.ini2"

file zipped: c:\documents and settings\All Users\proto.dll
file zipped: C:\isjtcmum.exe
file zipped: C:\undlh.exe
file zipped: c:\windows\system32\avast!AVSControlService.exe
file zipped: c:\windows\system32\awtrRLFW.dll
file zipped: c:\windows\system32\drivers\37ced551.sys
file zipped: c:\windows\system32\drivers\9800d3ba.sys
file zipped: c:\windows\system32\drivers\b29cf5d8.sys
file zipped: c:\windows\system32\jbnmcd.dll
file zipped: c:\windows\system32\jbnmck.dll
file zipped: c:\windows\system32\mlJDtsRl.dll
file zipped: c:\windows\system32\TDSSriqp.dll
file zipped: c:\windows\system32\tljxbl.dll
file zipped: c:\windows\system32\yvucvwor.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\proto.dll
C:\isjtcmum.exe
C:\undlh.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\awtrRLFW.dll
c:\windows\system32\drivers\37ced551.sys
c:\windows\system32\drivers\9800d3ba.sys
c:\windows\system32\drivers\b29cf5d8.sys
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\lRstDJlm.ini
c:\windows\system32\lRstDJlm.ini2
c:\windows\system32\mlJDtsRl.dll
c:\windows\system32\sft.res
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\tljxbl.dll
c:\windows\system32\yvucvwor.dll

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_37ced551
-------\Service_9800d3ba
-------\Service_b29cf5d8
-------\Legacy_avast!avscontrolservice
-------\Service_avast!avscontrolservice


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-04 01:18 . 2009-06-04 01:48 -------- d-s---w- C:\123
2009-06-01 18:42 . 2006-04-06 00:38 110592 ----a-w- c:\documents and settings\Customer\Application Data\U3\temp\cleanup.exe
2009-06-01 17:14 . 2009-06-01 17:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-01 01:16 . 2009-06-01 01:16 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 00:52 . 2009-06-04 03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\program files\AVG
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 15:58 . 2008-03-16 20:50 -------- d-----w- c:\program files\LimeWire
2009-06-04 04:56 . 2008-03-16 20:52 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire
2009-06-03 00:50 . 2004-08-04 10:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-01 18:34 . 2008-03-04 00:08 -------- d-----w- c:\documents and settings\Customer\Application Data\U3
2009-06-01 01:18 . 2008-03-16 19:52 -------- d-----w- c:\program files\Google
2009-06-01 00:38 . 2008-03-04 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
.

------- Sigcheck -------

[-] 2009-06-03 00:50 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Shortcut Bar.lnk - c:\msoffice\Office\MSOFFICE.EXE [1996-3-20 365056]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 2:43 PM 24652]
.
- - - - ORPHANS REMOVED - - - -

BHO-{00197914-1702-48f6-9a58-1849dc7293c5} - c:\windows\system32\tljxbl.dll
BHO-{575040f7-571f-4302-a657-6d4e448eeb35} - c:\windows\system32\mlJDtsRl.dll
BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll
HKCU-Run-DiskChk help - c:\documents and settings\All Users\proto.dll
ShellExecuteHooks-{fe319530-1e2d-424a-ac3d-c242bf8d8b2d} - c:\windows\system32\tljxbl.dll
Notify-awtrRLFW - awtrRLFW.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 23:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Parameters]
@DACL=(02 0000)
"ServiceDll"=expand:"c:\\WINDOWS\\system32\\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Security]
@DACL=(02 0000)
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-06-10 23:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 04:50
ComboFix2.txt 2009-06-08 22:48

Pre-Run: 152,282,529,792 bytes free
Post-Run: 152,268,288,000 bytes free

145 --- E O F --- 2008-05-28 02:21

[tetonbob]

Hi -

ComboFix is updated frequently. Please delete your existing version, download a fresh copy from one of the links below, disable any protections as before, and run ComboFix one more time. Post the log produced.

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Also, let me know if you have the Windows XP Installation CD in hand; we may need it to replace a file.

[ramentler]

Ok,

Deleted and installed ComboFix. Here is the log. I do have the Windows re-installation CD handy so that we can replace a file if needed.


ComboFix 09-06-09.06 - Customer 06/10/2009 1:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.700 [GMT -5:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1458931097.exe
C:\ipkc.exe
C:\ldpmwlum.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\jbnmcd.dll
c:\windows\system32\sft.res

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 06:17 . 2009-06-10 06:17 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-10 05:17 . 2009-06-10 05:32 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-10 05:17 . 2009-06-10 05:17 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-10 05:17 . 2009-06-10 05:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-10 05:17 . 2009-06-10 05:17 325640 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 05:17 . 2009-06-10 05:17 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-10 05:08 . 2009-06-10 05:08 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 05:07 . 2009-06-10 05:07 -------- d-----w- c:\documents and settings\Customer\Application Data\Malwarebytes
2009-06-10 05:07 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 05:07 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 05:06 . 2009-06-10 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-10 05:01 . 2009-06-10 06:36 99422 ----a-w- c:\windows\system32\drivers\71ff3351.sys
2009-06-04 01:18 . 2009-06-04 01:48 -------- d-s---w- C:\123
2009-06-01 18:42 . 2006-04-06 00:38 110592 ----a-w- c:\documents and settings\Customer\Application Data\U3\temp\cleanup.exe
2009-06-01 17:14 . 2009-06-01 17:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-01 01:16 . 2009-06-01 01:16 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 00:52 . 2009-06-10 05:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\program files\AVG
2009-06-01 00:50 . 2009-06-10 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 06:32 . 2004-08-04 10:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-04 15:58 . 2008-03-16 20:50 -------- d-----w- c:\program files\LimeWire
2009-06-04 04:56 . 2008-03-16 20:52 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire
2009-06-01 18:34 . 2008-03-04 00:08 -------- d-----w- c:\documents and settings\Customer\Application Data\U3
2009-06-01 01:18 . 2008-03-16 19:52 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_22.37.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00 . 2009-06-10 06:29 182912 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}]
jbnmcd.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-10 1932568]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Shortcut Bar.lnk - c:\msoffice\Office\MSOFFICE.EXE [1996-3-20 365056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-10 05:17 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/10/2009 12:17 AM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/10/2009 12:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 12:17 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 12:17 AM 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 2:43 PM 24652]
S2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 01:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\71ff3351]
"ImagePath"="\SystemRoot\System32\drivers\71ff3351.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-06-10 1:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 06:37
ComboFix2.txt 2009-06-10 04:50
ComboFix3.txt 2009-06-08 22:48

Pre-Run: 152,062,468,096 bytes free
Post-Run: 152,059,195,392 bytes free

131 --- E O F --- 2008-05-28 02:21

[tetonbob]

The CD should not be necessary now...the kitty was hungry. We're making progress.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   AVG 8.5
   Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
   • Click on Open AVG Interface.
   • Double click on Resident Shield
   • Deselect the option to "Enable Resident Shield."
   • Save changes, and exit the application.
   • To re-enable AVG 8.5, please select "Enable Resident Shield" again.
   
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382550-malware-help-please.html#post2181865
   registry::
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}]
   Driver::
   71ff3351
   avast!AVSControlService
   Collect::
   c:\windows\system32\drivers\71ff3351.sys
   Reglock::
   [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Parameters]
   [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS\Security]
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   **Note**
   
   When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
   • Ensure you are connected to the internet and click OK on the message box.
   If you do not get a message box, please do the following:
   
   There should be a file named [4]-Submit_date@time.zip with today's date, located here:
   
   C:\QooBox\Quarantine\[4]-Submit_date@time.zip
   
   Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4
   
   Please let me know if you successfully submitted the file. Thanks.
   
   ------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.


Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[ramentler]

Ok,

I posted the .zip file to the site you asked me to and here is the ComboFix log:

ComboFix 09-06-09.06 - Customer 06/10/2009 1:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.700 [GMT -5:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1458931097.exe
C:\ipkc.exe
C:\ldpmwlum.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\jbnmcd.dll
c:\windows\system32\sft.res

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 06:17 . 2009-06-10 06:17 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-10 05:17 . 2009-06-10 05:32 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-10 05:17 . 2009-06-10 05:17 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-10 05:17 . 2009-06-10 05:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-10 05:17 . 2009-06-10 05:17 325640 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 05:17 . 2009-06-10 05:17 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-10 05:08 . 2009-06-10 05:08 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-10 05:07 . 2009-06-10 05:07 -------- d-----w- c:\documents and settings\Customer\Application Data\Malwarebytes
2009-06-10 05:07 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 05:07 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 05:06 . 2009-06-10 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-10 05:01 . 2009-06-10 06:36 99422 ----a-w- c:\windows\system32\drivers\71ff3351.sys
2009-06-04 01:18 . 2009-06-04 01:48 -------- d-s---w- C:\123
2009-06-01 18:42 . 2006-04-06 00:38 110592 ----a-w- c:\documents and settings\Customer\Application Data\U3\temp\cleanup.exe
2009-06-01 17:14 . 2009-06-01 17:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-01 01:16 . 2009-06-01 01:16 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 00:52 . 2009-06-10 05:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 00:50 . 2009-06-01 00:50 -------- d-----w- c:\program files\AVG
2009-06-01 00:50 . 2009-06-10 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 06:32 . 2004-08-04 10:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-04 15:58 . 2008-03-16 20:50 -------- d-----w- c:\program files\LimeWire
2009-06-04 04:56 . 2008-03-16 20:52 -------- d-----w- c:\documents and settings\Customer\Application Data\LimeWire
2009-06-01 18:34 . 2008-03-04 00:08 -------- d-----w- c:\documents and settings\Customer\Application Data\U3
2009-06-01 01:18 . 2008-03-16 19:52 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_22.37.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00 . 2009-06-10 06:29 182912 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}]
jbnmcd.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-10 1932568]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-20 86528]
Microsoft Office Shortcut Bar.lnk - c:\msoffice\Office\MSOFFICE.EXE [1996-3-20 365056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-10 05:17 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/10/2009 12:17 AM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/10/2009 12:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 12:17 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 12:17 AM 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 2:43 PM 24652]
S2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 01:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\71ff3351]
"ImagePath"="\SystemRoot\System32\drivers\71ff3351.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-06-10 1:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 06:37
ComboFix2.txt 2009-06-10 04:50
ComboFix3.txt 2009-06-08 22:48

Pre-Run: 152,062,468,096 bytes free
Post-Run: 152,059,195,392 bytes free

131 --- E O F --- 2008-05-28 02:21

The other files are attached.

Thanks,

Rocco

[tetonbob]

Hi Rocco -

Thanks for uploading the one file. I'll have more work for you to do after I review the attached logs.

The ComboFix log posted is from the previous run, not the most recent run.

That new log should be located at C:\ComboFix.txt

Please post it whilst I review the attached logs.