Couple suspicious *.dll's and *.sys's... Startup takes a LONG time

[pedromt]

I've had to spend the majority of the day roto-rooting this machine. After a 3 hour virus scan courtesy of Symantec that found a number of trojans and other virii, the machine seems a lot better but is hanging up severely on startup and I get a message of a corrupt DLL:
snwnbz60.dll

Can't find information on this file anywhere. Searching through the registry for this dll brings up these other files:
wgmqb96.sys
jenqib28.sys
ivhbip99.sys
ipdname.sys
idgen.sys
snwnbz60.sys

Haven't been able to find much info on any of these either. I've tried deleting the registry keys associated with some of them as well as purging them through hijack this but they re-appear on reboot. NAV isn't cathing them as viruses but they're obviously causing some kind of problem, imo.

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:43 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu78\toolbaru.dll (file missing)
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll
O4 - HKLM\..\RunOnce: [wgmqbn96] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wuxztt.dll
O4 - HKLM\..\RunOnce: [snwnbz60] %systemroot%\system32\Rundll32.exe %systemroot%\system32\snwnbz60.dll DllUnregisterServer
O4 - HKLM\..\RunOnce: [jenqib28] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wcczixp.dll
O4 - HKLM\..\RunOnce: [ivhbip99] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wbdics.dll
O4 - HKLM\..\RunOnce: [ipdname] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\xpiztx.dll
O4 - HKLM\..\RunOnce: [idgen] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\obcts.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - ESC Trusted Zone:

http://*.update.microsoft.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rstavaresassociates.com
O17 - HKLM\Software\..\Telephony: DomainName = rstavaresassociates.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2013E03-8AF0-4F8A-B54C-3C4CE544662A}: NameServer = 192.168.1.10,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rstavaresassociates.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rstavaresassociates.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5211 bytes

Thanks.

 

[2ffat]

Get rid of these:
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll

O4 - HKLM\..\RunOnce: [wgmqbn96] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wuxztt.dll

O4 - HKLM\..\RunOnce: [snwnbz60] %systemroot%\system32\Rundll32.exe %systemroot%\system32\snwnbz60.dll DllUnregisterServer

O4 - HKLM\..\RunOnce: [jenqib28] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wcczixp.dll

O4 - HKLM\..\RunOnce: [ivhbip99] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\wbdics.dll

O4 - HKLM\..\RunOnce: [ipdname] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\xpiztx.dll

O4 - HKLM\..\RunOnce: [idgen] %systemroot%\system32\regsvr32.exe /s %systemroot%\system32\obcts.dll

Also, if you did not set these up, get rid of them, too.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rstavaresassociates.com

O17 - HKLM\Software\..\Telephony: DomainName = rstavaresassociates.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rstavaresassociates.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rstavaresassociates.com



James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[pedromt]

I've gotten rid of them a few times, they come back after reboot

 

[RobertT687]

My $0.02. Try turning off System Restore. Then delete the offending entries. Turn System Restore back on after you are sure they aren't returning.

 

[sggaunt]

I would suggest you get hold of some more scanners, DrWeb, Superantispyware.
and run these in safe mode.
You may need to run 'deeper' scanners e.g combofix and/or sdfix.
The best tools to use will depend on the actual infection cause. Did Symantec name the infections?
If it did look at old threads for pechnegs answers to people with that particular infection.
Just deleting things with HJT or relying on Symantec to clean them up is unlikely to get rid of a well entrenched trojan.



Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain