Help withTrojans PLEASE!!

[jim8uofa]

I have never run it before. It didn't put my clock settings back. Right now my computer is running a lot better, I just can't get the sound to work.

[jholland1964]

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"
The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Do this and then see if all looks good. Then come back here, give me the info on the sound problem and we will see if we can try to work that out too.
Judy

[jim8uofa]

Ok, so before you posted this last message I ran combofix again. I think what happened before is that it didn't finish all the way because this time the log popped up at the end and the clock is back to normal. Here is the new log:

ComboFix 08-03-20.5 - Owner 2008-03-23 12:43:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\WINDOWS\BM6fda5c05.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\ecurit~1
C:\WINDOWS\ecurit~1\?ecurity\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dehvocie.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fyvswyuo.dll
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\snohpmup.dll
C:\WINDOWS\system32\winpfz32.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 21:02 . 2008-03-22 21:02 <DIR> d-------- C:\Program Files\Safari
2008-03-22 00:11 . 2008-03-22 00:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-03-22 00:11 . 2008-03-22 01:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\COMCASTTOOLBAR
2008-03-18 19:26 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 19:22 . 2008-03-18 19:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-18 07:33 . 2008-03-18 19:34 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-12 23:04 . 2008-03-12 23:04 <DIR> d-------- C:\fsaua.data
2008-03-08 22:50 . 2008-03-08 22:50 <DIR> d-------- C:\Program Files\MP3 Ringtone Maker
2008-03-08 22:36 . 2008-03-08 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nitrogen
2008-03-08 22:19 . 2005-05-13 19:33 4,333,568 --a------ C:\06 Name.mid
2008-02-24 13:32 . 2008-03-21 15:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 13:32 . 2008-02-24 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 13:31 . 2008-02-24 13:31 <DIR> d-------- C:\Program Files\iTunes
2008-02-24 13:31 . 2008-02-24 13:31 <DIR> d-------- C:\Program Files\iPod
2008-02-24 13:28 . 2008-02-24 13:29 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-23 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 23:26 --------- d-----w C:\Program Files\Java
2008-03-14 02:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-03-13 03:19 --------- d-----w C:\Program Files\Azureus
2008-03-12 21:00 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 20:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-28 12:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 17:34 3,320 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-11-06 17:15 6,465 --sha-w C:\WINDOWS\system32\ttutv.bak1
2007-11-08 05:15 454,077 --sha-w C:\WINDOWS\system32\ttutv.bak2
2007-11-08 23:22 460,952 --sha-w C:\WINDOWS\system32\ttutv.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A6F8EE3-FF03-4C12-965E-A4ED9AC75E53}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-16 02:29 68856]
"Aim6"="" []
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-04-06 07:11 1193472]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-04-06 07:12 373760]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-04-06 07:13 1462784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"WinBoss"="C:\Program Files\bobyte\WinBoss classic\WinBoss.exe" [2006-04-02 21:25 797696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 05:20 127036]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 01:11 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40 5367608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-08 19:12 219136]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-16 02:29 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-05-21 16:52:27 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-05-21 16:52:22 106496]
VPN Client.lnk - C:\WINDOWS\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2007-05-06 01:53:27 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcawx]
gebcawx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklijj]
jkklijj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oozcnxbn]
oozcnxbn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbwd32]
winbwd32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\"=
"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"C:\\Program Files\\Microsoft Money 2007\\MNYCoreFiles\\msmoney.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c1318dc8-3198-11dc-9838-00059a3c7800}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 00:12:32 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-23 05:53:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-18 06:00:12 C:\WINDOWS\Tasks\wrSpySweeper_LFFB63034626643A2BE3 539C2D1CFB86C.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LFFB63034626643A2BE3539 C2D1CFB86C
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 12:48:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-03-23 12:54:39
ComboFix-quarantined-files.txt 2008-03-23 16:54:34
.
2008-03-20 07:03:29 --- E O F ---

[jim8uofa]

The log is a lot longer than the first one. For the sound, in Sounds and Audio Devices Properties, it says 'No Audio Device'. If I go to device manager, everything looks fine but under Other Devices, Multimedia Audio Devices it has that Yellow Question Mark. When I open it up it says,

The drivers for this device are not installed. (Code 28)

To reinstall the drivers for this device, click Reinstall Driver.

I tried to reinstall but it doesn't work. I tried putting in my Dell Deivers and Utilities CD, and also downloading drivers from the Dell website.

Once again thanks for all your help.

[jholland1964]

Ok, you still have a few items showing in the combofix log AND in the previous HJT log that you will need to fix.
Run HJT again and place a checkmark next to the following entries if they still remain;
O2 - BHO: (no name) - {1A6F8EE3-FF03-4C12-965E-A4ED9AC75E53} - C:\WINDOWS\system32\vtutt.dll (file missing)
O4 - HKLM\..\Run: [BM6fda5c05] Rundll32.exe "C:\WINDOWS\system32\snohpmup.dll",s
O20 - Winlogon Notify: gebcawx - gebcawx.dll (file missing)
O20 - Winlogon Notify: jkklijj - jkklijj.dll (file missing)
O20 - Winlogon Notify: oozcnxbn - oozcnxbn.dll (file missing)
O20 - Winlogon Notify: winbwd32 - winbwd32.dll (file missing)
Once you have placed the checkmarks then click the Fix Checked button.
Exit HJT.
Reboot the computer and run a new HJT scan, save the log and post back here with that.
Then we will work on the sound problem if this log looks good.

Other Devices, Multimedia Audio Devices it has that Yellow Question Mark.

Does this show you exactly WHAT this "other device" is...if so...who is manufacturer and what is it exactly?

[jim8uofa]

I attached the log. After I fixed what you suggested in HijackThis, I tried downloading the drivers from Dell.com again and this time it worked. My sound is back to normal and I have no other devices in device manager. Thank you so much for all your help. Do you have any suggestions on preventing this in the future? I have AVG Free Edition and Webroot Spy Sweeper that run on a regular bases, do I need anything else?

[jholland1964]

Jim, there are still some fixes needed with the combofix log for sure. Let me get back with you.
Judy

[jholland1964]

Download VundoFix
To use Vundofix:
- Download the file and then double-click *VundoFix.exe* to run it.
- Put a check next to *Run VundoFix as a task.
- You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
- When VundoFix re-opens, click the *Scan for Vundo* button.
- Once it's done scanning, click the *Remove Vundo* button.
- You will receive a prompt asking if you want to remove the files, click *YES*
- Once you click yes, your [COLOR=#054D05 ! important][COLOR=#054D05 ! important]desktop[/COLOR][/COLOR] will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click *OK*.
- Turn your computer back on.
It should generate a log also. Please post back here with that log.

[jim8uofa]

I ran VundoFix, and it said there were no infected files. It did not produce a log, atleast I couldn't find one, probably because there were no infected files. It didn't restart my computer like it said it would.

[TurcoLoco]

Judy, I think this user would be a good candidate for AnalyzerXP (3.8) so if it is OK with you, I would like him to run it and attach its log?
For the final part where it asks 1) for All Executables or 2) All files, I will leave it to you two but if he has a solid idea about when the infection started on his system then it would make entering the date a lot easier and the scanning more effective. I'd also suggest going at least a day or two earlier than the presumed initial infection date, meaning if Jim things his system first got the infection on 03-08-2008, he should enter 03-06-2008.