Recurring attempt to inject DLL

[milobloom]

Well, it started with a startup error - "Error loading C:\Documents and Settings\user\Local Settings\Application Data\Macromedia\kmdjwfhc.dll - The specified module could not be found".

There was a startup entry attempting to inject this DLL (have since deleted it). I removed that startup entry, it came back once more, I removed it again and it has not been back so far. My antivirus flagged a TMP file in C:\Documents and settings\user\Local Settings\temp as "trojan horse" but nothing more specific than that.

I did a scan with Malwarebytes, it found nothing. I ran the DDS as advised in this forum and have the results attached.

It seems like there is some sort of malware running, but it's not making itself known in a really major way. Do you folks see anything in these logs that would indicate where or with what I should scan next?

Thanks!

dds.txt

attach.txt

hijackthis.log

mbam-log-2012-08-21 (11-22-26).txt

[Maniac]

Hello milobloom and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

This one needs a deep scan.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[milobloom]

Thanks Maniac, I ran Combofix in safe mode. Here is a copy of the log file:

ComboFix 12-08-22.01 - user 08/22/2012 10:00:52.1.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1652 [GMT -6:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

ADS - WINDOWS: deleted 216 bytes in 2 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\windows\system32\FlashPlayerInstaller.exe

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

c:\windows\system32\drivers\i8042prt.sys . . . is missing!!

.

.

((((((((((((((((((((((((( Files Created from 2012-07-22 to 2012-08-22 )))))))))))))))))))))))))))))))

.

.

2012-08-21 17:15 . 2012-08-21 17:15 607260 ------r- C:\dds.scr

2012-08-21 17:07 . 2012-08-21 17:06 477168 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-08-21 17:07 . 2012-08-21 17:06 473072 ----a-w- c:\windows\system32\deployJava1.dll

2012-08-21 17:06 . 2012-08-21 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2012-08-21 17:02 . 2012-08-21 17:03 388608 ----a-w- C:\HijackThis.exe

2012-08-21 17:02 . 2012-08-21 17:02 8656400 ----a-w- C:\RootkitBuster_v5_1061.exe

2012-08-21 17:02 . 2012-08-21 15:41 134326264 ----a-w- C:\setup_11.0.0.1245.x01_2012_08_21_16_56.exe

2012-08-15 15:32 . 2012-08-15 15:32 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-15 15:32 . 2012-08-15 15:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-08 17:30 . 2012-08-08 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-08 17:30 . 2012-08-08 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-08-08 17:30 . 2012-07-03 19:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-30 18:49 . 2012-08-17 13:50 -------- d-----w- c:\program files\Common Files\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-21 17:06 . 2011-11-10 22:08 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-07-06 13:58 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05 . 2011-11-10 21:27 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2008-04-14 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec

2012-06-06 14:49 . 2012-06-06 14:49 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2012-06-05 15:50 . 2008-04-14 12:00 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32 . 2008-04-14 12:00 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 21:19 . 2011-11-11 00:05 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 21:19 . 2011-11-11 00:05 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 21:19 . 2011-11-10 21:28 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 21:19 . 2011-11-10 21:28 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 21:19 . 2011-11-10 21:28 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 21:19 . 2011-11-11 00:05 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 21:19 . 2011-11-11 00:05 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 21:19 . 2011-11-10 21:28 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 21:19 . 2011-11-10 21:28 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 21:19 . 2008-04-14 12:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 21:19 . 2011-11-11 00:05 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 21:19 . 2011-11-10 21:28 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 21:19 . 2011-11-10 21:28 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 21:18 . 2011-11-12 18:11 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 21:18 . 2011-11-12 18:11 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-06-02 21:18 . 2009-08-07 02:23 214256 ----a-w- c:\windows\system32\muweb.dll

2012-05-31 13:22 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-28 16:14 . 2012-05-07 21:43 249856 -c----w- c:\windows\Setup1.exe

2012-05-28 16:14 . 2012-05-07 21:43 73216 ----a-w- c:\windows\ST6UNST.EXE

2011-09-23 04:28 . 2011-11-10 21:39 134104 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-10-16 2363392]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-09 8523776]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Start Pervasive PSQL Workgroup Engine.lnk - c:\windows\Installer\{0A3238D7-AB32-1030-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe [2011-12-16 92854]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [7/17/2012 10:06 AM 634880]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2012 11:49 AM 116648]

S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [11/2/2011 9:24 AM 68896]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/15/2012 9:32 AM 250056]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/2/2009 5:02 PM 23888]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/9/2012 2:00 AM 106656]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2012 11:49 AM 116648]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-10-16 18:49 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-22 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 15:32]

.

2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 17:49]

.

2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-29 17:49]

.

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

SafeBoot-Symantec Antvirus

AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-08-22 10:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2012-08-22 10:06:03

ComboFix-quarantined-files.txt 2012-08-22 16:06

.

Pre-Run: 63,473,246,208 bytes free

Post-Run: 63,496,630,272 bytes free

.

- - End Of File - - 1342C297F207A8BE266BCD82B4941935

[Maniac]

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• 
  
• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *i8042prt.sys*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[milobloom]

SystemLook 30.07.11 by jpshortstuff

Log created at 10:43 on 22/08/2012 by user

Administrator - Elevation successful

========== filefind ==========

Searching for "*i8042prt.sys*"

No files found.

-= EOF =-

(the computer does not have a PS/2 style mouse or keyboard attached, if that makes a difference.)

[Maniac]

In this case, not necessarily have this file. Thanks for your information!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[milobloom]

Still have to carve out some time to run the ESET scanner, but I thought I'd add.. the attempt to inject a DLL at startup is back. The entry in the registry (can't remember if it was HKCU or HKLM Run) was:

rundll32.exe "c:\Documents and Settings\user\Local Settings\Application Data\Macromedia\kmdjwfhc.dll",InjectDLL

Will post ESET results once I have them.

[milobloom]

ESET results:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=07235ed7993d594ab43f96b84e83b58c

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-08-24 04:45:54

# local_time=2012-08-24 10:45:54 (-0700, Mountain Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=48380

# found=1

# cleaned=1

# scan_time=3377

C:\Downloads\Precision390\winzip160.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

[Maniac]

Any progress now?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!