Spyware/.Dll files, and autoloader

[jholland1964]

Still looking at logs. Having to share my computer at the moment so don't have as much time online as usual but will get back with you ASAP

[jholland1964]

Logs showed you installed uTorrent on July 21...may I ask why you are installing file sharing programs while trying to get your computer cleaned?

[JohnHolmes]

Actually I didn't. I've had UTorrent on my PC for months, and I haven't reinstalled it at all recently. I'm not sure why it would show that.

[jholland1964]

Ok.
First of all, download Combofix
to the desktop.

When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on your desktop similar to the one below.

ComboFix Icon

Double-click on the ComboFix icon found on your desktop. You will be asked if you are sure you want to run the program. Click the RUN button. Follow any prompts given and be sure to agree to the disclaimer. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.Be aware that ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically.
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

When all is complete post back here with the combofix log.

[JohnHolmes]

Here you go. Incidentally, I haven't seen ole' Scotty pick up that change again since rebooting after running combofix.exe. Thanks.

[jholland1964]

Glad ole' Scotty has stopped poping up. Combofix has taken care of "some" items but there are several others I have referred to somebody much smarter than I am on this...PhilliePhan. He noted you have an infected pen drive as registry entries show as much in both Deckard's and Combofix. I have PM'd him on this and also how to proceed with remaining items which have not been removed by either mbam or combofix
Either he or I will post later after conferring on these and let you know how to proceed.
Judy

[jholland1964]

Download Killbox
this is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so.

These are the files you want it to search for and delete;
C:\WINDOWS\system32\rzozhe.dll
C:\WINDOWS\system32\jdkiucpa.dll
C:\WINDOWS\system32\jdvwwnef.dll

When the computer reboots I want you to do the following;
Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"BM2c819698"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt

Do you have any idea what these listed below refer to?
We have no clue at all what these are:
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A LCXWDex]
"ImagePath"="system32\drivers\ALCXWDex.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\n ull2k]
"ImagePath"="system32\drivers\null2k.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p 3nt]
"ImagePath"="system32\drivers\p3nt.sys"

As far as the infected pen drive;

PP said the following;
If he is able to track down the infected drive, he could try http://download.bleepingcomputer.com...isinfector.exe
Or, even scanning with his AV?

[jholland1964]

Just so you know, I will be away for the weekend beginning Thurs. morning. Will return Sunday night, won't have computer access until I return.
Judy

[JohnHolmes]

Okay, I downloaded Killbox.exe, and it couldn't locate any of these files:
C:\WINDOWS\system32\rzozhe.dll
C:\WINDOWS\system32\jdkiucpa.dll
C:\WINDOWS\system32\jdvwwnef.dll

As for these:

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A LCXWDex]
"ImagePath"="system32\drivers\ALCXWDex.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\n ull2k]
"ImagePath"="system32\drivers\null2k.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p 3nt]
"ImagePath"="system32\drivers\p3nt.sys"

the first, and the last one are trusted. I couldn't find the middle one.

I ran combofix with the script requested, and I'm including the log. I didn't know what you meant by pen drive, so I held off on that for a bit. I'm not in any hurry. The PC seems to be working fine, so whenever you have the time that will be fine. I appreciate all the help so far.

[jholland1964]

Pen drive is essentially the same as a flash memory stick, or some call it a flash drive. Works similar to a floppy drive. Plugs into the usb port and transfers data from one computer generally to another.