Jump to content

Malware returns even though quarantined


Recommended Posts

Here's my logfile from HijackThis. By the way, I've installed Malwarebytes for the 3rd time, and it still won't open. The reason I have uninstalled and then reinstalled it is that I was following a suggestion from elsewhere in the forum to do that. I ran the recommended cleanup utility in between installations and restarted the computer. I also have the Ad-Aware program which does find a malware called UACybwqwaom.sys which it says it successfully quarantined, but the same malware usuallyshows up again at the next scan. Anyway, I've looked in the Malwarebyte's Anti-Malware folder in Program files to rename the mbam.exe file as in another suggestion, but there isn't a file in there with that name - I just have mbam with no extension. I did try renaming that one previously, but nothing happened. Malwarebytes still won't do anything, and I'm still stuck with malware on my computer.

I have Windows XP Media Center edition version 2002 with service pack 3, HP Pavilion, AMD Athlon 64 processor.

Any help offered much appreciated - thanks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:12:33 PM, on 3/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\DISC\DiscUpdateMgr.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\DISC\DiscGui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\windows\system\hpsysdrv.exe

C:\Documents and Settings\HP_Administrator\Desktop\HJTInstall.exe

C:\Documents and Settings\HP_Administrator\Desktop\HJTInstall.exe

C:\Documents and Settings\HP_Administrator\Desktop\HJTInstall.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://yarnplayer.spaces.live.com/PhotoUpload/MsnPUpld.cab

O20 - Winlogon Notify: khFwuSMG - khFwuSMG.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c98f2f29ddc5b3) (gupdate1c98f2f29ddc5b3) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--

End of file - 10642 bytes

Link to post
Share on other sites

Hi and welcome to the MBAM forums :(

You have the CLB driver rootkit infection on board.>>>UACybwqwaom.sys

Please use the following guide as walthrough to fixing the issue's you experience.

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Install,Update and run MBAM quick scan then post back MBAM scan log + new HJT log.

Thanks in advance :(

Link to post
Share on other sites

Thanks, I did install and run the tool suggested, and it worked beautifully! It even showed the offending malware in red letters, so it was easy for me to find and wipe the file.

Here is the mbam log of the scan I just ran:

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/26/2009 3:59:32 PM

mbam-log-2009-03-26 (15-59-32).txt

Scan type: Quick Scan

Objects scanned: 72427

Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here is the HijackThis log from it's last scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:06:02 PM, on 3/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\HP\KBD\KBD.EXE

Thanks so much for the help!

Link to post
Share on other sites

Hi,

Your MBAM is still using a very old Database

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Please open MBAM,Goto Updates TAB and select check for Updates.

Run quick scan and let MBAM delete what it finds then reboot.

Generate fresh HJT log and post that back with last MBAM scan log.

Thanks in advance.

Link to post
Share on other sites

Ok, I did as suggested and here is the last mbam log:

Malwarebytes' Anti-Malware 1.34

Database version: 1903

Windows 5.1.2600 Service Pack 3

3/26/2009 4:36:13 PM

mbam-log-2009-03-26 (16-36-13).txt

Scan type: Quick Scan

Objects scanned: 77833

Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\dTJxevDn.exe.part (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And here is the latest log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:44:29 PM, on 3/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\DISC\DiscUpdateMgr.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\DISC\DiscGui.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\NOTEPAD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://yarnplayer.spaces.live.com/PhotoUpload/MsnPUpld.cab

O20 - Winlogon Notify: khFwuSMG - khFwuSMG.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c98f2f29ddc5b3) (gupdate1c98f2f29ddc5b3) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--

End of file - 10525 bytes

Link to post
Share on other sites

Looking a lot better!

One last routine and hopefully job will be a good'un :(

1)STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Ok, thanks - the Combofix has finished, and here is the report

ComboFix 09-03-26.01 - HP_Administrator 2009-03-26 17:03:52.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.518 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))

.

2009-03-26 15:01 . 2009-03-26 15:01 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2009-03-26 12:44 . 2009-03-26 12:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-26 12:44 . 2009-03-26 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-26 12:44 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 12:44 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-17 10:21 . 2009-03-17 10:21 <DIR> d-------- c:\program files\Lugert Europe

2009-03-17 10:21 . 2004-02-07 23:53 856,064 --a------ c:\windows\system32\mpgfiltr.ax

2009-03-17 10:21 . 2006-11-06 15:30 262,144 --a------ c:\windows\system32\lame_enc.dll

2009-03-17 10:21 . 2008-12-11 16:15 155,648 --a------ c:\windows\system32\AudioCapture.ocx

2009-03-17 10:21 . 2003-08-19 19:31 81,920 --a------ c:\windows\system32\viscomwave.dll

2009-03-17 10:21 . 2003-12-11 16:15 44,544 --a------ c:\windows\system32\msxml4a.DLL

2009-03-16 09:25 . 2009-03-16 09:26 <DIR> d-------- C:\Temp

2009-03-13 11:00 . 2009-03-13 11:00 <DIR> d-------- c:\windows\MVUNINST

2009-03-13 11:00 . 2009-03-13 11:00 <DIR> d-------- c:\program files\SureThing

2009-03-13 10:33 . 2009-03-13 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe

2009-03-13 06:57 . 2009-03-13 09:19 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\CyberLink

2009-03-13 06:57 . 2009-03-13 09:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink

2009-03-12 22:08 . 2009-03-12 21:12 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-12 21:13 . 2009-03-12 21:13 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-03-12 21:13 . 2009-03-12 21:12 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-12 21:10 . 2009-03-12 21:10 <DIR> d-------- c:\program files\Lavasoft

2009-03-12 21:10 . 2009-03-12 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-03-12 21:10 . 2009-03-12 21:10 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-03-12 14:24 . 2009-03-26 17:09 <DIR> d-------- c:\program files\lg_fwupdate

2009-03-12 14:24 . 1998-06-24 00:00 115,016 --a------ c:\windows\system32\MSINET.OCX

2009-03-12 14:24 . 1998-07-22 00:00 102,912 --a------ c:\windows\system32\Vb6stkit.dll

2009-03-12 14:24 . 1998-07-22 00:00 102,160 --a------ c:\windows\system32\VB6KO.DLL

2009-03-12 14:24 . 2006-02-17 14:19 16,384 --a------ c:\windows\system32\lgfwunis.exe

2009-03-12 14:24 . 2009-03-26 17:09 361 --a------ c:\windows\lgfwup.ini

2009-03-12 14:08 . 2009-03-12 14:08 <DIR> d-------- c:\program files\Nero

2009-03-12 14:08 . 2009-03-12 14:08 <DIR> d-------- c:\program files\Common Files\Ahead

2009-03-12 14:05 . 2009-03-15 21:33 <DIR> d-------- C:\MyWorks

2009-03-12 14:04 . 2009-03-12 14:06 <DIR> d-------- c:\program files\CyberLink

2009-03-12 12:44 . 2009-03-12 12:44 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Webroot

2009-03-12 12:43 . 2009-03-12 13:07 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\U3

2009-03-12 12:42 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys

2009-03-12 12:42 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys

2009-03-12 12:42 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys

2009-03-12 12:42 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys

2009-03-03 18:42 . 2009-03-25 17:39 16,384 --a------ c:\windows\DCEBoot.exe

2009-03-03 09:51 . 2009-03-03 09:51 <DIR> d-------- c:\windows\system32\log

2009-03-03 09:43 . 2004-08-10 07:00 4,224 --a------ c:\windows\system32\drivers\beep.sys

2009-03-03 09:43 . 2004-08-10 07:00 4,224 --a------ c:\windows\system32\dllcache\beep.sys

2009-02-28 12:14 . 2009-03-11 19:51 164 --a------ c:\windows\install.dat

2009-02-28 10:08 . 2009-03-26 14:54 1,896,749 --a------ c:\windows\system32\uactmp.db

2009-02-28 08:14 . 2009-03-12 13:12 414,144 --a------ c:\windows\system32\UACqhlapaxk.db

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-26 19:12 --------- d-----w c:\program files\Trend Micro

2009-03-23 12:07 --------- d-----w c:\program files\Java

2009-03-13 16:00 --------- d-----w c:\program files\Common Files\SureThing Shared

2009-03-13 15:20 --------- d---a-w c:\program files\Common Files\LightScribe

2009-03-12 19:24 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-12 01:38 --------- d-----w c:\program files\Google

2009-02-26 17:38 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-06 16:05 164 ----a-w C:\install.dat

2009-01-13 21:38 3,332 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2008-06-29 18:10 22 --sha-w c:\windows\SMINST\HPCD.sys

2008-08-11 20:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AlwaysReady Power Message APP"="c:\windows\ARPWRMSG.EXE" [2005-08-03 77312]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 185896]

"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]

"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]

"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2006-08-17 249856]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-12 515416]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-10 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-12 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-04-23 52240]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-16 36368]

R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-04-23 648456]

S2 gupdate1c98f2f29ddc5b3;Google Update Service (gupdate1c98f2f29ddc5b3);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46eb5e4e-0f2d-11de-b92e-0015f2907c54}]

\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46eb5e50-0f2d-11de-b92e-0015f2907c54}]

\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-12 21:12]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

HKLM-Run-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe

HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

HKLM-Run-PCDrProfiler - (no file)

Notify-khFwuSMG - khFwuSMG.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

Trusted Zone: trymedia.com

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\x2kqca0j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.trymedia.com (HKLM)

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://yarnplayer.spaces.live.com/PhotoUpload/MsnPUpld.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate1c98f2f29ddc5b3) (gupdate1c98f2f29ddc5b3) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)

--

End of file - 9248 bytes

Link to post
Share on other sites

Ok thats looking alot better and HJT log is looking good to go :(

Please read Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Safe surfing :(

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.