I acquired the following two BHOs tonight, along with a text file in C:\ that I can't get rid of. All 3 files are open by something so they cannot be removed. I tried using HJT to remove them at system startup, and that failed. I also tried removing them in safe mode, that didn't work either, even with very few programs running they were still pinned.

C:\WINNT\system32\ddccy.dll
C:\WINNT\system32\xxyvvwt.dll
C:\check_LSA7.txt

xxyvvwt.dll is also listed as

O20 - AppInit_DLLs:
O20 - Winlogon Notify: xxyvvwt - C:\WINNT\SYSTEM32\xxyvvwt.dll

===================================================================

Logfile of HijackThis v1.99.1
Scan saved at 12:58:34 AM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: (no name) - {107980AA-1BBE-4829-9A82-CA093DA10948} - C:\WINNT\System32\ddccy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINNT\system32\xxyvvwt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.historytoday.com/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned32.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB5C5554-2B89-4D18-9938-D7EFEDDB2346} (ebcardatl Class) - http://fast.ebrary.com/support/plugins/ebraryReader.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{99E6B54F-A471-4A09-86E3-4A27E7E97B54}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{A494F535-DC10-41E6-9BB0-0ACDAB3E4FC6}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCA91F0D-F79A-415D-8E9C-29301AF7F045}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O20 - AppInit_DLLs:
O20 - Winlogon Notify: xxyvvwt - C:\WINNT\SYSTEM32\xxyvvwt.dll
O23 - Service: COM+ System Application COMSysAppSamSs (COMSysAppSamSs) - Unknown owner - C:\WINNT\System32\6to4svcx.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Access Connection Manager RasManaspnet_state (RasManaspnet_state) - Unknown owner - C:\WINNT\System32\accwizt.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvNtmsSvc (SCardDrvNtmsSvc) - Unknown owner - C:\WINNT\System32\a3db.exe
O23 - Service: Smart Card Helper SCardDrvSCardDrv (SCardDrvSCardDrv) - Unknown owner - C:\WINNT\System32\adsldpx.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc (SharedAccesshelpsvc) - Unknown owner - C:\WINNT\System32\3076d.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Hi David and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• NOTE:Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
  
  In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Yes, you have a Vundo infection and a Wareout infection to go with it. HJT will not remove those on it's own. So you didn't do anything wrong, they just require special tools, then we can clean up with HJT.

You said you just aquired them. Do you know what you were doing when you got them?

Well, let's get on with the fix.

STEP 1:

Please download
VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click Yes
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.


STEP 2:

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{99E6B54F-A471-4A09-86E3-4A27E7E97B54}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{A494F535-DC10-41E6-9BB0-0ACDAB3E4FC6}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCA91F0D-F79A-415D-8E9C-29301AF7F045}: NameServer = 85.255.113.94,85.255.112.225
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225

Then close all windows except this one and press Fix checked.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


So, to wrap up, I need the Vundo log, Wareout log, and a new HJT log. Also let me know if you have any issues.

OK, step 1 done, here's the log:


VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 9:05:03 AM 9/5/2007

Listing files found while scanning....

C:\WINNT\system32\xxyvvwt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\xxyvvwt.dll
C:\WINNT\system32\xxyvvwt.dll Has been deleted!

Performing Repairs to the registry.
Done!


After reboot I checked in WINNT\system32 to make sure, and xxyvvwt.dll is gone.

This post has been edited by David Cooke: Sep 5 2007, 08:14 AM

OK, here is the Fixwareout log:

Username "Owner" - 09/05/2007 9:16:43 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdupr.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{99E6B54F-A471-4A09-86E3-4A27E7E97B54}
"DhcpNameServer"="85.255.113.94,85.255.112.225" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A494F535-DC10-41E6-9BB0-0ACDAB3E4FC6}
"DhcpNameServer"="85.255.113.94,85.255.112.225" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F7620BA6-A117-46D3-BCC8-D6118DBF5947}
"DhcpNameServer"="85.255.116.61,85.255.112.218" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "3mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}12B816705866-4BC8-ECE4-99C3-AC94D67A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}5FE888DF79DC-5E0B-7A94-7A45-D9309161{" Deleted
C:\WINNT\System32\ozbxi.exe Deleted
....
~~~~~ Misc files.
C:\Documents and Settings\Owner\Application Data\Install.dat Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINNT\Temp\kdupr.ren 66455 08/29/2002

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\System32\\NvCpl.dll,NvStartup"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"PROMon.exe"="PROMon.exe"
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINNT\\UpdReg.EXE"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"2wSysTray"="C:\\Program Files\\2Wire\\2PortalMon.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"iamapp"="C:\\Program Files\\Norton Internet Security\\IAMAPP.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"ctfmon.exe"="C:\\WINNT\\System32\\ctfmon.exe"
"Uniblue SpyEraser"="\"C:\\Program Files\\Uniblue\\SpyEraser\\SpyEraser.exe\" -m"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


C:\WINNT\system32.ddccy.dll and C:\check_LSA7.txt are still pinned.

Here is the new HJT log file:

============================================================

Logfile of HijackThis v1.99.1
Scan saved at 9:26:21 AM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\rhqfudxa.exe
C:\WINNT\System32\jdkwxdsb.exe
C:\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7FD78E5-E670-496A-9426-AF532DB56012} - C:\WINNT\System32\ddccy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.historytoday.com/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned32.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB5C5554-2B89-4D18-9938-D7EFEDDB2346} (ebcardatl Class) - http://fast.ebrary.com/support/plugins/ebraryReader.exe
O20 - AppInit_DLLs:
O23 - Service: COM+ System Application COMSysAppSamSs (COMSysAppSamSs) - Unknown owner - C:\WINNT\System32\6to4svcx.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: DomainService - - C:\WINNT\System32\rhqfudxa.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Access Connection Manager RasManaspnet_state (RasManaspnet_state) - Unknown owner - C:\WINNT\System32\accwizt.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvNtmsSvc (SCardDrvNtmsSvc) - Unknown owner - C:\WINNT\System32\a3db.exe
O23 - Service: Smart Card Helper SCardDrvSCardDrv (SCardDrvSCardDrv) - Unknown owner - C:\WINNT\System32\adsldpx.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc (SharedAccesshelpsvc) - Unknown owner - C:\WINNT\System32\3076d.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Download and Run ComboFix

• Download this file from below:
  Here
  
• Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
• Then double click Combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.

ALERT

While I was checking the IP settings (turned out I didn't need to change anything) I got an alert from Spyblocker that a program added itself to the startup. I ran a new HJT, the result is below.

Note the new line:

O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINNT\System32\bxeiwpbl.dll

I wasn't browsing anything, or doing anything else.

One thing of note, after I first boot the system, and open a folder, the contents of the folder flashes and redraws, I think that is when something loads itself into IE.

Also, this new program is running as SYSTEM and I can't kill it:

C:\WINNT\System32\rhqfudxa.exe

There are new files in WINNT\system32 that I can't delete: rhqfudxa.exe and chniiupc.dll, I suspect that ddccy.dll is reinfecting me.

================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 9:37:32 AM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\rhqfudxa.exe
C:\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINNT\System32\bxeiwpbl.dll
O2 - BHO: (no name) - {D7FD78E5-E670-496A-9426-AF532DB56012} - C:\WINNT\System32\ddccy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.historytoday.com/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned32.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB5C5554-2B89-4D18-9938-D7EFEDDB2346} (ebcardatl Class) - http://fast.ebrary.com/support/plugins/ebraryReader.exe
O20 - AppInit_DLLs:
O23 - Service: COM+ System Application COMSysAppSamSs (COMSysAppSamSs) - Unknown owner - C:\WINNT\System32\6to4svcx.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: DomainService - - C:\WINNT\System32\rhqfudxa.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Access Connection Manager RasManaspnet_state (RasManaspnet_state) - Unknown owner - C:\WINNT\System32\accwizt.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvNtmsSvc (SCardDrvNtmsSvc) - Unknown owner - C:\WINNT\System32\a3db.exe
O23 - Service: Smart Card Helper SCardDrvSCardDrv (SCardDrvSCardDrv) - Unknown owner - C:\WINNT\System32\adsldpx.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc (SharedAccesshelpsvc) - Unknown owner - C:\WINNT\System32\3076d.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Yes, this infection can be nasty to remove at times.

Did you run Combofix as I had instructed? If so post the log please.

OK, I just finished combofix. It got rid of rhqfudxa.exe and chniiupc.dll, but I'm still stuck with ddccy.dll.


Please note in the following log that the file:

2007-08-11 03:06 61,111 -r-hs---- C:\WINNT\system32\6to4svcx.exe

DOESN'T EXIST on my system. I have caught this process running when I have brought up the task manager early in the logon process, while the desktop is still initializing and such. I was curious what it was, so I scanned the system for it, and it doesn't exist. There is a dll with a similar name, 6to4scv.dll, but it has a rather old creation and last updated date, so I think it's probably legit?


combofix log:

========================================================================
ComboFix 07-09-05.5 - "Owner" 2007-09-05 10:07:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.709 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\IA
C:\WINNT\system32\config\system~1\applic~1\install.dat
C:\WINNT\system32\regscan.exe
C:\WINNT\system32\rhqfudxa.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_MSDIRECT
-------\LEGACY_NETWORK_MONITOR
-------\DomainService
-------\msdirect
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 10:05 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-05 09:47 <DIR> d-------- C:\BRIDAL
2007-09-05 09:30 125,504 --a------ C:\WINNT\system32\chniiupc.dll
2007-09-05 09:22 1,980,629 ---hs---- C:\WINNT\system32\yccdd.bak2
2007-09-05 09:05 <DIR> d-------- C:\VundoFix Backups
2007-09-05 00:54 <DIR> d-------- C:\HJT
2007-09-04 23:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-09-04 23:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
2007-09-04 23:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-09-04 22:41 <DIR> d-------- C:\WINNT\system32\carp**
2007-09-04 21:22 6,448 ---hs---- C:\WINNT\system32\yccdd.bak1
2007-09-04 21:21 244,832 --a------ C:\WINNT\system32\ddccy.dll
2007-09-04 21:11 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-20 17:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-17 09:48 <DIR> d--h----- C:\WINNT\PIF
2007-08-17 00:34 <DIR> d-------- C:\Program Files\Security Task Manager
2007-08-17 00:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-08-14 11:09 21,760 --a------ C:\WINNT\system32\dllcache\usbstor.sys
2007-08-14 10:27 <DIR> d-------- C:\music library
2007-08-13 23:32 <DIR> d-------- C:\Program Files\Real
2007-08-13 23:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2007-08-13 23:13 <DIR> d-------- C:\Program Files\Best Buy Rhapsody
2007-08-13 22:56 10,368 --a------ C:\WINNT\system32\iviaspi.sys
2007-08-13 22:56 10,368 --a------ C:\WINNT\system32\drivers\_iviaspi.sys
2007-08-13 22:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-13 22:55 <DIR> d-------- C:\Program Files\Sandisk
2007-08-11 03:06 61,111 -r-hs---- C:\WINNT\system32\6to4svcx.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 10:14 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-05 10:14 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-17 03:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-08-16 20:54 --------- d-------- C:\Program Files\Symantec
2007-08-14 08:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 22:56 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-13 22:32 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-13 22:32 --------- d-------- C:\Program Files\2Wire
2007-08-03 01:11 59985 -r-hs---- C:\WINNT\system32\adsldpx.exe
2007-07-22 11:32 59985 -r-hs---- C:\WINNT\system32\3076d.exe
2007-07-12 06:02 59985 -r-hs---- C:\WINNT\system32\accwizt.exe
2007-07-11 06:06 59985 -r-hs---- C:\WINNT\system32\2052b.exe
2007-07-05 00:42 59636 -r-hs---- C:\WINNT\system32\a3db.exe
2007-07-05 00:42 11776 --ahs---- C:\WINNT\system32\acluiv.dll
2007-06-28 16:46 1633 --a------ C:\DOCUME~1\Owner\APPLIC~1\29209.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ACF6AC9-9994-4CE4-8014-E8654979D5AA}]
2007-09-04 21:21 244832 --a------ C:\WINNT\System32\ddccy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2004-03-03 11:29]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 C:\WINNT\system32\PROMon.exe]
"CTHelper"="CTHELPER.EXE" [2002-07-02 17:56 C:\WINNT\system32\cthelper.exe]
"UpdReg"="C:\WINNT\UpdReg.EXE" []
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2006-11-18 14:19]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-11-18 14:19]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2006-11-18 14:19]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 C:\WINNT\system32\SK9910DM.EXE]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2006-11-18 14:19]
"iamapp"="C:\Program Files\Norton Internet Security\IAMAPP.EXE" [2006-11-18 14:19]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2004-03-03 11:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2002-08-29 05:41]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-07-24 13:21]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DriverLoad"=
"DriverCheck"=
"SystemDriverLoad"=
"SystemDriver"=
"FDriver"=
"ADriver"=
"CDriver"=
"DDriver"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINNT\\System32\\ddccy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADriver]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDriver]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDriver]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCheck]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverLoad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FDriver]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriver]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriverLoad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvcAudioSrv"=2 (0x2)
"mnmsrvc"=3 (0x3)

R1 cdudf_xp;cdudf_xp;C:\WINNT\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINNT\System32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\System32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\System32\drivers\UdfReadr_xp.sys
R2 NISSERV;Norton Internet Security Service;C:\Program Files\Norton Internet Security\NISSERV.EXE
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
R2 RioPNP;RioPNP;C:\WINNT\System32\drivers\RioPNP.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\System32\DRIVERS\GWMDM.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\System32\drivers\NMSCFG.SYS
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\System32\DRIVERS\Sk99202k.sys
S2 COMSysAppSamSs;COM+ System Application COMSysAppSamSs;C:\WINNT\System32\6to4svcx.exe srv
S2 dnlsvc;MS Software Shadow Download Provider;"C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe"
S2 RasManaspnet_state;Remote Access Connection Manager RasManaspnet_state;C:\WINNT\System32\accwizt.exe srv
S2 SCardDrvNtmsSvc;Smart Card Helper SCardDrvNtmsSvc;C:\WINNT\System32\a3db.exe srv
S2 SCardDrvSCardDrv;Smart Card Helper SCardDrvSCardDrv;C:\WINNT\System32\adsldpx.exe srv
S2 SharedAccesshelpsvc;Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc;C:\WINNT\System32\3076d.exe srv
S3 2WIREPCP;2Wire USB;C:\WINNT\System32\DRIVERS\2WirePCP.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\System32\DRIVERS\BCMDM.sys
S3 dvd_2K;dvd_2K;C:\WINNT\System32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINNT\System32\drivers\mmc_2K.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S4 mnmsrvcAudioSrv;NetMeeting Remote Desktop Sharing mnmsrvcAudioSrv;C:\WINNT\System32\2052b.exe srv

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI

Contents of the 'Scheduled Tasks' folder
"2007-09-05 03:45:23 C:\WINNT\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 10:14:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 10:17:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 10:17

--- E O F ---

New HJT log:

=======================================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:31:03 AM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\scanner.exe
c:\program files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: (no name) - {9ACF6AC9-9994-4CE4-8014-E8654979D5AA} - C:\WINNT\System32\ddccy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.historytoday.com/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned32.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB5C5554-2B89-4D18-9938-D7EFEDDB2346} (ebcardatl Class) - http://fast.ebrary.com/support/plugins/ebraryReader.exe
O20 - AppInit_DLLs:
O23 - Service: COM+ System Application COMSysAppSamSs (COMSysAppSamSs) - Unknown owner - C:\WINNT\System32\6to4svcx.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Access Connection Manager RasManaspnet_state (RasManaspnet_state) - Unknown owner - C:\WINNT\System32\accwizt.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvNtmsSvc (SCardDrvNtmsSvc) - Unknown owner - C:\WINNT\System32\a3db.exe
O23 - Service: Smart Card Helper SCardDrvSCardDrv (SCardDrvSCardDrv) - Unknown owner - C:\WINNT\System32\adsldpx.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc (SharedAccesshelpsvc) - Unknown owner - C:\WINNT\System32\3076d.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

Hi David,

Give me a little time on this here. You have some "stuff" I have not seen or dealt with before and would like to have an expert/teacher here look in on this and make sure we're going in the right direction from here. You are still very much infected.

Thanks

Hi David,

Let's try the Vundofix tool again and add some files this time. Please first disable Spy Eraser real time protection. Make sure none of the real time guards are running. You can make sure of this by right clicking on the icon down in the system tray and select Exit SpyEraser. Then confirm by clicking Yes.

• Double-click VundoFix.exe to run it.
• Right click in the open Window and select Add more files?
• Add the following files below by copy and pasting each one in, then click the Add File(s) button.
• Then click Close Window.

C:\WINNT\system32\chniiupc.dll
C:\WINNT\system32\yccdd.bak2
C:\WINNT\system32\yccdd.bak1
C:\WINNT\system32\ddccy.dll
C:\WINNT\system32\carp**
C:\WINNT\system32\6to4svcx.exe

• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click Yes
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

OK, I added the files, vundofix searched and found no files, and since none were infected it didn't do anything or reboot my computer. I tried it twice. I don't know what ddccy.dll or 6to4scvx.exe are, but I suspect that if we can get rid of them then the rest will get easier. 6to4svcx.exe I would guess is created by another program and then executed at startup, and then deletes itself, while the master program lays in the weeds. I've seen the 6to4svcx.exe before on my system, so it's not the same problem as the dll.

vundo log:

========================================================


VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 9:05:03 AM 9/5/2007

Listing files found while scanning....

C:\WINNT\system32\xxyvvwt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\xxyvvwt.dll
C:\WINNT\system32\xxyvvwt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 12:18:56 PM 9/5/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 12:20:46 PM 9/5/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



HJT log:
==========================================================
Logfile of HijackThis v1.99.1
Scan saved at 12:21:30 PM, on 9/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\System32\PROMon.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: (no name) - {9ACF6AC9-9994-4CE4-8014-E8654979D5AA} - C:\WINNT\System32\ddccy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.historytoday.com/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned32.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB5C5554-2B89-4D18-9938-D7EFEDDB2346} (ebcardatl Class) - http://fast.ebrary.com/support/plugins/ebraryReader.exe
O20 - AppInit_DLLs:
O23 - Service: COM+ System Application COMSysAppSamSs (COMSysAppSamSs) - Unknown owner - C:\WINNT\System32\6to4svcx.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Remote Access Connection Manager RasManaspnet_state (RasManaspnet_state) - Unknown owner - C:\WINNT\System32\accwizt.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Helper SCardDrvNtmsSvc (SCardDrvNtmsSvc) - Unknown owner - C:\WINNT\System32\a3db.exe
O23 - Service: Smart Card Helper SCardDrvSCardDrv (SCardDrvSCardDrv) - Unknown owner - C:\WINNT\System32\adsldpx.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccesshelpsvc (SharedAccesshelpsvc) - Unknown owner - C:\WINNT\System32\3076d.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

This thread reports a fix for ddccy.dll:

http://www.geekstogo.com/forum/ddccy-dll-a...ink-t90254.html

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.