I initially had AVG7.5 installed and it was alerting me to the presence of virus by requesting quarantining of the files. I shut down my internet and started to run a manual scan of the entire computer with AVG. It identified a number of files as malicious and among them mfc40u.dll in system32 directory. I was able to successfully replace that file with an uninfected one from system32\dllcache. I then ran combofix and it asked me to reboot. However, when the boot screen next came up, I was unable to gain access after receiving error message along the line of invalid LPtrSessionName in lsass.exe when loading mfc40u.dll. After much research, I have found out that lsass.exe has also been infected (but AVG didn't appear to have picked it up). I was able to boot up using BartPE and replaced the infected lsass.exe with the one in the dllcache. Everything then came up as per normal when I next rebooted. I then painstakinly went through Browser Helper object and ShellExecuteHooks in the registry to remove all suspicious entries. I went through the run, runonce and controlset part of the registry and removed many references to DLLs that have been previously deleted by AVG.
I thought my job was done and boy how wrong I was. I decided to run HouseCall overnight just to be on the safe side during the night. When I woke up the next morning, HouseCall didn't really identify anything more suspicous (other than a couple of harmless tracking cookies). However, I noticed that my IE start-up page was altered. This alerted me to continued infection of my machine. I then downloaded TrendMicro Internet Security 2008 (and removed AVG of course) and ran another scan. Other than picking up the quarantined file from ComboFix and AVG, it didn't really do much. I then installed AVG8.0 and sure enough it identified further infection against explorer.exe and a file called mpckxw29vj.dll in the system32 directory. While AVG successfully removed this file and cured explorer.exe, the next reboot resulted in the error message that windows was not able to load "mpckxw29vj.dll". That means there still must be something that is attempting to load the DLL into memory. However, I searched through registry and I couldn't find anything that is loading this DLL.
I ran another combo fix, and it didn't make any difference. However, I have noticed the following 4 entries in the Find3M section:
2004-08-08 05:51 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 05:53 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 05:58 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
2004-08-08 05:54 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
However, I am not able to find them in the specified directory at all until I used dos dir /ah command. These files have been given system file setting and hence was not picked up despite having view hidden file option on. I have then run Microsoft Malicious Virus removal and AVG8 against these files and none found anything suspicious either. Any idea what else I should be looking for to get rid of these pesky bugs?
Thanks in advance
Edited by Orange Blossom, 22 June 2008 - 07:37 PM.
Move to more appropriate forum. ~ OB