Jump to content

Gambler1st

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

 Content Type 

Posts posted by Gambler1st

    Can't remove Hijack WindowsUpdates

    in Resolved Malware Removal Logs

    Posted

    Hi!

    I deleted the items you requested and installed the new Java and Adobe Reader.

    Here are the scan results from my last Malware Bytes scan:

    Malwarebytes' Anti-Malware 1.41

    Database version: 2868

    Windows 5.1.2600 Service Pack 3

    28-9-2009 21:44:29

    mbam-log-2009-09-28 (21-44-29).txt

    Scan type: Quick Scan

    Objects scanned: 122195

    Time elapsed: 8 minute(s), 34 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 2

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    Regards

    Marty

    Can't remove Hijack WindowsUpdates

    in Resolved Malware Removal Logs

    Posted

    HI good to hear it looks goed B)

    Here are the results from the F-Secure Scan:

    --RESULTS--

    Scanning Report

    Sunday, September 27, 2009 21:21:16 - 22:09:59

    Computer name: 3WKCL3J

    Scanning type: Scan system for malware, spyware and rootkits

    Target: C:\

    --------------------------------------------------------------------------------

    7 malware found

    TrackingCookie.Atdmt (spyware)

    System (Disinfected)

    TrackingCookie.Adtech (spyware)

    System (Disinfected)

    TrackingCookie.Doubleclick (spyware)

    System (Disinfected)

    TrackingCookie.Admeta (spyware)

    System (Disinfected)

    Trojan.Generic.1771037 (spyware)

    System (Disinfected)

    TrackingCookie.Yieldmanager (spyware)

    System (Disinfected)

    Trojan.Generic.1771037 (virus)

    C:\WINDOWS\SYSTEM32\WB64977.DLL (Not cleaned)

    --------------------------------------------------------------------------------

    Statistics

    Scanned:

    Files: 60112

    System: 3866

    Not scanned: 8

    Actions:

    Disinfected: 6

    Renamed: 0

    Deleted: 0

    Not cleaned: 1

    Submitted: 0

    Files not scanned:

    C:\HIBERFIL.SYS

    C:\PAGEFILE.SYS

    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

    C:\WINDOWS\SYSTEM32\CONFIG\SAM

    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\VIRTUAL MACHINE HELPER\NETWORK SERVICE

    --------------------------------------------------------------------------------

    Options

    Scanning engines:

    Scanning options:

    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

    Use advanced heuristics

    --------------------------------------------------------------------------------

    Copyright

    Can't remove Hijack WindowsUpdates

    in Resolved Malware Removal Logs

    Posted

    Hi screen 317,

    Thank you for your help. Here are my log Files:

    --COMBOFIX LOG--

    ComboFix 09-09-25.01 - biesmar 27-09-2009 8:28.1.2 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1350 [GMT 2:00]

    Running from: c:\documents and settings\Biesmar\Desktop\ComboFix.exe

    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll

    c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll

    c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll

    c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll

    c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll

    c:\documents and settings\Biesmar\Application Data\Microsoft\Clip Organizer\mstore10.mgc

    c:\documents and settings\Biesmar\Application Data\Microsoft\Clip Organizer\Offic10.MGC

    c:\recycler\S-1-5-21-1236027963-590738440-2331357172-500

    c:\recycler\S-1-5-21-4156654137-380929339-3244173841-500

    c:\windows\Installer\26ec5.msp

    c:\windows\Installer\48ff8.msp

    c:\windows\system32\Cache

    c:\windows\system32\drivers\d2297f7c.sys

    c:\windows\system32\Ijl11.dll

    c:\windows\system32\mswinup.exe

    c:\windows\system32\winsvcup.exe

    c:\windows\system32\winupsvc.exe

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Legacy_IPRIP

    -------\Legacy_MSUPDATE

    -------\Service_Iprip

    -------\Service_d2297f7c

    ((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))

    .

    2009-09-25 18:46 . 2009-09-25 18:46 -------- d-----w- C:\ARK

    2009-09-24 19:49 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

    2009-09-24 19:49 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

    2009-09-24 19:49 . 2008-12-10 09:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

    2009-09-24 19:48 . 2009-09-24 19:48 -------- d-----w- c:\documents and settings\Biesmar\Application Data\PC Tools

    2009-09-24 19:48 . 2009-09-24 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

    2009-09-24 19:46 . 2009-09-24 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

    2009-09-24 19:34 . 2009-09-24 21:30 -------- d-----w- c:\program files\Common Files\PC Tools

    2009-09-24 19:34 . 2009-09-25 18:57 -------- d-----w- c:\program files\Spyware Doctor

    2009-09-24 19:19 . 2009-09-24 19:19 -------- d-----w- c:\program files\Enigma Software Group

    2009-09-16 21:55 . 2009-09-16 21:55 -------- d-----w- c:\program files\EA Sports

    2009-09-12 17:47 . 2009-09-19 21:25 -------- d-----w- c:\documents and settings\Biesmar\Application Data\Pro Cycling Manager 2009

    2009-09-12 16:16 . 2009-09-25 17:03 -------- d-----w- c:\program files\Cyanide

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2009-09-27 06:55 . 2008-10-09 09:00 -------- d-----w- c:\program files\Symantec AntiVirus

    2009-09-27 06:25 . 2008-10-06 07:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

    2009-09-25 20:43 . 2008-06-10 10:45 475608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

    2009-09-25 17:05 . 2008-04-19 06:01 -------- d-----w- c:\program files\KONAMI

    2009-09-24 19:46 . 2009-03-23 09:51 -------- d-----w- c:\program files\Google

    2009-09-22 21:18 . 2008-04-16 14:01 -------- d-----w- c:\documents and settings\Biesmar\Application Data\Azureus

    2009-09-17 20:03 . 2008-06-09 20:31 -------- d-----w- c:\program files\Microsoft Silverlight

    2009-09-16 19:48 . 2008-10-09 09:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2009-09-10 12:54 . 2008-10-09 09:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2009-09-10 12:53 . 2008-10-09 09:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

    2009-08-21 15:36 . 2009-03-23 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

    2009-08-21 15:35 . 2007-08-01 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WindowsLiveInstaller

    2009-08-21 15:35 . 2007-08-01 14:47 -------- d-----w- c:\program files\Windows Live

    2009-08-11 20:04 . 2009-07-31 18:32 -------- d-----w- c:\documents and settings\Biesmar\Application Data\GrabIt

    2009-07-31 18:24 . 2009-07-31 18:24 -------- d-----w- c:\program files\GrabIt

    2009-07-28 17:01 . 2009-07-28 17:01 229224 ----a-w- c:\windows\system32\drivers\VMM.sys

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-15 159744]

    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]

    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]

    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

    "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-03 5069648]

    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

    "NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2008-02-22 86016]

    "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-18 303104]

    "NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-02-22 86016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

    "ForceStartMenuLogOff"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

    backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "Apple Mobile Device"=2 (0x2)

    "MSSQLSERVER"=2 (0x2)

    "MSSQL$SQLEXPRESS"=2 (0x2)

    "MSSQL$TEST2008"=2 (0x2)

    "SQLSERVERAGENT"=3 (0x3)

    "SQLAgent$TEST2008"=3 (0x3)

    "MSSQLServerOLAPService"=2 (0x2)

    "MSOLAP$TEST2008"=2 (0x2)

    "msftesql"=2 (0x2)

    "MsDtsServer100"=2 (0x2)

    "ReportServer$TEST2008"=2 (0x2)

    "SQLWriter"=3 (0x3)

    "WMPNetworkSvc"=3 (0x3)

    "WLSetupSvc"=3 (0x3)

    "usnjsvc"=3 (0x3)

    "stllssvr"=3 (0x3)

    "SQLBrowser"=2 (0x2)

    "SQLAgent$SQL2005"=3 (0x3)

    "SavRoam"=3 (0x3)

    "ose"=3 (0x3)

    "odserv"=3 (0x3)

    "MSSQL$SQL2005"=2 (0x2)

    "MSOLAP$SQL2005"=2 (0x2)

    "msftesql$SQL2005"=2 (0x2)

    "MsDtsServer"=2 (0x2)

    "MDM"=2 (0x2)

    "iPod Service"=3 (0x3)

    "idsvc"=3 (0x3)

    "IDriverT"=3 (0x3)

    "vmh"=3 (0x3)

    "Virtual Server"=2 (0x2)

    "NVSvc"=2 (0x2)

    "mnmsrvc"=3 (0x3)

    "helpsvc"=2 (0x2)

    "Fax"=2 (0x2)

    "ERSvc"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    "c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=

    "c:\\WINDOWS\\system32\\winver.exe"=

    "c:\\WINDOWS\\system32\\mmc.exe"=

    "c:\\Program Files\\Microsoft Virtual Server\\vssrvc.exe"=

    "c:\\Program Files\\Vuze\\Azureus.exe"=

    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

    "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping

    "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

    "135:TCP"= 135:TCP:Remote Procedure Call

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

    "AllowInboundEchoRequest"= 1 (0x1)

    R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [24-9-2009 21:49 130936]

    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19-12-2006 15:21 79432]

    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2-11-2006 13:32 97536]

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [24-9-2009 21:05 102448]

    R3 vhdbus;Microsoft Virtual Server Storage Bus;c:\windows\system32\drivers\vhdbus.sys [5-5-2007 4:25 25480]

    S3 EC168BDA;EC168BDA service;c:\windows\system32\DRIVERS\EC168BDA.sys --> c:\windows\system32\DRIVERS\EC168BDA.sys [?]

    S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]

    S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [24-9-2009 21:48 348752]

    S4 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" --> c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [?]

    S4 msftesql$SQL2005;SQL Server FullText Search (SQL2005);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQL2005 --> c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [?]

    S4 MSOLAP$SQL2005;SQL Server Analysis Services (SQL2005);"c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\Config" --> c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [?]

    S4 MSSQL$SQL2005;SQL Server (SQL2005);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQL2005 --> c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [?]

    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23-9-2005 7:01 2799808]

    S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27-9-2006 20:33 116464]

    S4 SQLAgent$SQL2005;SQL Server Agent (SQL2005);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i SQL2005 --> c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [?]

    S4 Virtual Server;Virtual Server;c:\program files\Microsoft Virtual Server\vssrvc.exe [24-5-2007 13:36 3373432]

    S4 vmh;Virtual Machine Helper;c:\program files\Microsoft Virtual Server\vmh.exe [24-5-2007 13:36 166808]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    .

    Contents of the 'Scheduled Tasks' folder

    2009-09-27 c:\windows\Tasks\Google Software Updater.job

    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-24 19:46]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/

    uInternet Settings,ProxyServer = 10.17.6.48:8080

    IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

    IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

    IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

    IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

    IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

    IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://90.145.4.49:8080/activex/AMC.cab

    .

    - - - - ORPHANS REMOVED - - - -

    AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-09-27 08:59

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$SQL2005]

    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005"

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2856)

    c:\windows\system32\WININET.dll

    c:\windows\system32\msi.dll

    c:\windows\system32\ieframe.dll

    c:\windows\system32\webcheck.dll

    c:\windows\system32\WPDShServiceObj.dll

    c:\program files\Roxio\Drag-to-Disc\Shellex.dll

    c:\windows\system32\DLAAPI_W.DLL

    c:\windows\system32\CDRTC.DLL

    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

    c:\program files\Microsoft Virtual PC\VPCShExH.DLL

    c:\windows\system32\PortableDeviceTypes.dll

    c:\windows\system32\PortableDeviceApi.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files\Intel\Wireless\Bin\EvtEng.exe

    c:\program files\Intel\Wireless\Bin\S24EvMon.exe

    c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    c:\windows\system32\scardsvr.exe

    c:\program files\Symantec AntiVirus\DefWatch.exe

    c:\windows\system32\inetsrv\inetinfo.exe

    c:\program files\Intel\Wireless\Bin\RegSrvc.exe

    c:\windows\system32\tcpsvcs.exe

    c:\windows\system32\snmp.exe

    c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe

    c:\program files\Symantec AntiVirus\Rtvscan.exe

    c:\windows\system32\rundll32.exe

    c:\windows\system32\rundll32.exe

    c:\program files\Apoint\ApMsgFwd.exe

    c:\program files\Apoint\hidfind.exe

    c:\program files\Apoint\ApntEx.exe

    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

    .

    **************************************************************************

    .

    Completion time: 2009-09-27 9:03 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-09-27 07:03

    Pre-Run: 86.856.097.792 bytes free

    Post-Run: 87.089.676.288 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

    [boot loader]

    timeout=2

    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

    [operating systems]

    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5

    262 --- E O F --- 2009-09-03 10:20

    --Here is the Hijackthis log--

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 9:10:15, on 27-9-2009

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\system32\inetsrv\inetinfo.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\WINDOWS\system32\tcpsvcs.exe

    C:\WINDOWS\System32\snmp.exe

    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\WINDOWS\system32\RunDLL32.exe

    C:\WINDOWS\stsystra.exe

    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Program Files\Apoint\ApMsgFwd.exe

    C:\Program Files\Apoint\HidFind.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

    C:\WINDOWS\explorer.exe

    C:\WINDOWS\system32\notepad.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.nl/ig/dell?hl=en&client=dell-row-rel&channel=nl&ibd=5070712

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.17.6.48:8080

    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

    O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

    O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey

    O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

    O8 - Extra context menu item: Append the content of the link to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

    O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

    O8 - Extra context menu item: Append to existing PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

    O8 - Extra context menu item: Create PDF file - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

    O8 - Extra context menu item: Create PDF file from the content of the link - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

    O8 - Extra context menu item: Create PDF files from the selected links - res://C:\Program Files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O15 - ESC Trusted Zone: http://the.earth.li

    O15 - ESC Trusted Zone: http://*.kixtart.org

    O15 - ESC Trusted Zone: http://files6.rarlab.com

    O15 - ESC Trusted Zone: http://support.ricoh.com

    O15 - ESC Trusted Zone: http://mesh.dl.sourceforge.net

    O15 - ESC Trusted IP range: http://10.0.0.10

    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

    O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://90.145.4.49:8080/activex/AMC.cab

    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://portal.rocmn.nl/dana-cached/setup/J...perSetupSP1.cab

    O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://10.200.8.21/Reports/Reserved.Report...OpType=PrintCab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = backoffice.rubicongroup.biz

    O17 - HKLM\Software\..\Telephony: DomainName = backoffice.rubicongroup.biz

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = backoffice.rubicongroup.biz

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = backoffice.rubicongroup.biz

    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = backoffice.rubicongroup.biz

    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = backoffice.rubicongroup.biz

    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

    O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

    O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

    --

    End of file - 10458 bytes

    Hope to hear from you soon!

    Thank you again!

    Regards

    Gambler

    Can't remove Hijack WindowsUpdates

    in Resolved Malware Removal Logs

    Posted

    Hi There,

    Since yesterday my Malware Bytes alerts me about 2 entries in the Registry Data with the name Hijack WindowsUpdates.

    I've seen topics where there is a suggestion to delete this, but it seems it is specified to user who post question

    Please Help

    This is the log file:

    Malwarebytes' Anti-Malware 1.41

    Database version: 2860

    Windows 5.1.2600 Service Pack 3

    25-9-2009 21:11:36

    mbam-log-2009-09-25 (21-11-36).txt

    Scan type: Quick Scan

    Objects scanned: 119497

    Time elapsed: 2 minute(s), 44 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 2

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.