Cannot delete jkklk.dll (vundo downloader)

[adrshepard]

Hello, I'm having a problem with two infected processes. I first noticed it when I would start up my computer and notice that within five minutes trojan.vundo would appear in my Content.IE5 temp Int files folder. I've temporarily solved the problem by telling IE to work offline (I use netscape), but I'd like to get rid of the problem, and I've read that the jkklk.dll file may be responsible.

Symantec anti-virus does not detect jkklk.dll, neither does Vundofix. I've tried to delete it manually, but it says the file is in use. I've tried in safe-mode, but no success. I've tried using the Vundofix path function, but it cannot delete it either. I've also used Process Explorer to kill the jkklk threads which appear in explorer.exe and lsass.exe, but despite them not appearing in the thread menu I still cannot delete the file.

Here is the hijack this log, I know that the easygif toolbar is not the problem.
Thanks

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\JOHNDO~1\LOCALS~1\Temp\Rar$EX68.343\Hi jackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\John Doe\Application Data\Mozilla\Profiles\default\tfwsakxd.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\John Doe\Application Data\Mozilla\Profiles\default\tfwsakxd.slt\prefs.j s)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\opnmljj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printra y.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188778483531
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://antivirus.college.edu/webinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[adrshepard]

Here is the silent runners log as well

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Steam" = "(empty string)" [file not found]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"IntelMeM" = "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" ["Intel Corporation"]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printr ay.exe" ["Lexmark"]
"LXSUPMON" = "C:\WINDOWS\System32\LXSUPMON.EXE RUN" ["Lexmark"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{08C134D3-087C-4139-A98C-3A078358DFDE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnmljj.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{9412338B-A805-4E1F-B3E3-E7F379E1187B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkklk.dll" [null data]
{96372AB6-15EB-4316-B497-71C741BC548C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Easy Gif Animator Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{08C134D3-087C-4139-A98C-3A078358DFDE}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnmljj.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer3
2\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {HKLM...CLSID} = "QuickFinder Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Netscape 7.2 Wallpaper.bmp"


Startup items in "John Doe" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\John Doe\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\OOBEBALN.EXE /sys /i /n:1" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll" ["Yahoo! Inc."]
"{35065594-9169-4A34-B167-FC4865038E53}"

[dahli]

Hello and welcome to CTH,



Download combofix.exe to your Desktop.

Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

[adrshepard]

I looked at the log, and it apparently deleted jkklk.dll, along with a bunch of other suspicious looking dlls. I forgot to copy the log though, but I don't think it matters since it solved my problem.

Thank you for your assistance.

[dahli]

The log is saved - please post the log - there may be other issues that you do not see.

C:\combofix.txt

[adrshepard]

ComboFix 07-10-29.1 - John Doe 2007-10-30 17:27:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\John Doe\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Temporary
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\fCOe
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\clqlblai.dll
C:\WINDOWS\system32\fsxwkshr.dll
C:\WINDOWS\system32\fubcxufx.dll
C:\WINDOWS\system32\gegshavx.dll
C:\WINDOWS\system32\istavggo.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jrxicmgl.dll
C:\WINDOWS\system32\jydwymcm.dll
C:\WINDOWS\system32\kjbyuijy.dll
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\lgmcixrj.ini
C:\WINDOWS\system32\lkytglms.dll
C:\WINDOWS\system32\msskrsmo.dll
C:\WINDOWS\system32\nkptuupp.dll
C:\WINDOWS\system32\nriawsqf.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\ppuutpkn.ini
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\SYSTEM32\tbxsiavx.ini
C:\WINDOWS\system32\win
C:\WINDOWS\system32\xvaisxbt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\core


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 17:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 16:40 175,616 --a------ C:\WINDOWS\SYSTEM32\strings.exe
2007-10-29 16:40 126,976 --a------ C:\WINDOWS\SYSTEM32\zip.exe
2007-10-29 16:40 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-29 16:40 39,184 --a------ C:\WINDOWS\SYSTEM32\Ntrights.exe
2007-10-29 16:40 16,384 --a------ C:\WINDOWS\SYSTEM32\restart.exe
2007-10-29 16:40 11,254 --a------ C:\WINDOWS\SYSTEM32\locate.com
2007-10-29 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-23 09:38 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-16 23:10 <DIR> d-------- C:\Documents and Settings\John Doe\Application Data\Move Networks
2007-10-02 12:25 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2007-10-02 12:25 31,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-30 14:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-26 18:01 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-08-29 22:22 --------- d-----w C:\Program Files\The Creative Assembly
2007-08-29 22:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-29 21:38 --------- d-----w C:\Program Files\Activision
2006-09-11 00:07 1 ----a-w C:\Documents and Settings\John Doe\SI.bin
2005-03-09 00:04 784 ----a-w C:\Documents and Settings\John Doe\Application Data\mpauth.dat
2007-06-05 04:25:38 1,611,821 --sha-w C:\WINDOWS\SYSTEM32\cccdd.bak1
2007-06-07 01:22:35 1,837,565 --sha-w C:\WINDOWS\SYSTEM32\cccdd.bak2
2007-06-07 01:45:53 1,838,987 --sha-w C:\WINDOWS\SYSTEM32\cccdd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 10:05]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X 86\2\printray.exe" [2000-06-07 11:32]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.exe" [2000-06-07 12:01]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22]
"nwiz"="nwiz.exe" [2006-06-01 16:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2006-06-01 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Steam"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
S3 RivaTunerEx;RivaTunerEx;\??\C:\Program Files\RivaTuner v2.0 RC 15.5\RivaTunerEx.sys

.
Contents of the 'Scheduled Tasks' folder
"2004-06-17 19:09:56 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-10-30 22:27:46 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
************************************************** ************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 17:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-30 17:39:27 - machine was rebooted
.
--- E O F ---

[dahli]

Just as I figured - there are still some nasty files hiding.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

Files::
C:\WINDOWS\SYSTEM32\cccdd.bak1
C:\WINDOWS\SYSTEM32\cccdd.bak2
C:\WINDOWS\SYSTEM32\cccdd.ini2

Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

[adrshepard]

How is it that you have the malware file names memorized whereas Symantec doesn't even detect them? I don't understand how the anti-virus software, properly updated, could be inadequate.



ComboFix 07-10-29.1 - John Doe 2007-11-01 21:28:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.142 [GMT -5:00]
Running from: C:\Documents and Settings\John Doe\Desktop\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\John DoeDesktop\Downloads\CFScript
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-10-30 17:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 16:40 175,616 --a------ C:\WINDOWS\SYSTEM32\strings.exe
2007-10-29 16:40 126,976 --a------ C:\WINDOWS\SYSTEM32\zip.exe
2007-10-29 16:40 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-29 16:40 39,184 --a------ C:\WINDOWS\SYSTEM32\Ntrights.exe
2007-10-29 16:40 16,384 --a------ C:\WINDOWS\SYSTEM32\restart.exe
2007-10-29 16:40 11,254 --a------ C:\WINDOWS\SYSTEM32\locate.com
2007-10-29 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-23 09:38 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-16 23:10 <DIR> d-------- C:\Documents and Settings\John Doe\Application Data\Move Networks
2007-10-02 12:25 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2007-10-02 12:25 31,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-01 14:28 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-26 18:01 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-08-22 13:12 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2006-09-11 00:07 1 ----a-w C:\Documents and Settings\John Doe\SI.bin
2005-03-09 00:04 784 ----a-w C:\Documents and Settings\John Doe\Application Data\mpauth.dat
2007-06-05 04:25:38 1,611,821 --sha-w C:\WINDOWS\SYSTEM32\cccdd.bak1
2007-06-07 01:22:35 1,837,565 --sha-w C:\WINDOWS\SYSTEM32\cccdd.bak2
2007-06-07 01:45:53 1,838,987 --sha-w C:\WINDOWS\SYSTEM32\cccdd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 10:05]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X 86\2\printray.exe" [2000-06-07 11:32]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.exe" [2000-06-07 12:01]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22]
"nwiz"="nwiz.exe" [2006-06-01 16:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2006-06-01 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Steam"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
S3 RivaTunerEx;RivaTunerEx;\??\C:\Program Files\RivaTuner v2.0 RC 15.5\RivaTunerEx.sys

.
Contents of the 'Scheduled Tasks' folder
"2004-06-17 19:09:56 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-11-02 02:27:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 21:32:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-11-01 21:34:17
C:\ComboFix2.txt ... 2007-10-30 17:39
.
--- E O F ---

[dahli]

There is NO anti-spyware or anti-virus program out there that will always catch everything. I do not have names of all malware memorized. It takes research and a lot of time to learn to fight malware.

Please download and unzip the attached file. Double click FIND.BAT. Notepad will open with a log - please post that here.

[adrshepard]

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 7C88-DB0C

Directory of C:\WINDOWS\System


------- Hidden Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 7C88-DB0C

Directory of C:\WINDOWS\System


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.ex e"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.ex e"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.ex e"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.ex e"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\ \W32X86\\2\\printray.exe"
"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EX E RUN"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




[dahli]

Everything looks good. How is your system running now?

[adrshepard]

Great, thanks for your help.

[dahli]

Glad we were able to help.