Jump to content

Hijack.Regedit reappears after format


Recommended Posts

After being unable to get rid of a Hijack.Regedit infection detected by Malwarebytes' Anti-Malware, I decided to do a full format and reinstallation of Windows XP on my Dell laptop. After preparing some essential drivers and a free trial of zonealarm, I reinstalled Windows, the drivers, and zonealarm before physically connecting to the internet to download from Windows Update and upgrade to service pack 3. Then, after running a scan with Malwarebytes' Anti-Malware, the same single Hijack.Regedit infection showed up again.

I forgot to update the database though, and after I did this, the problem no longer shows up on the scans. I was told by an admin that I should still post a log because it shouldn't have shown up in the first place. Originally, this was in the log file before I updated (from what I remember):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.

The log files below are after the update to Malwarebytes' Anti-Malware.

-----------------------------------------------------------

Malwarebytes' Anti-Malware 1.36

Database version: 1978

Windows 5.1.2600 Service Pack 3

4/13/2009 3:35:35 PM

mbam-log-2009-04-13 (15-35-35).txt

Scan type: Full Scan (C:\|)

Objects scanned: 85238

Time elapsed: 27 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:39:41 PM, on 4/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GSPI

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\GSPI412.vbs

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\Derrick\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunServices: [MSConfig] C:\WINDOWS\GSPI412.vbs

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 3546 bytes

Link to post
Share on other sites

  • Staff

Hi,

This computer is indeed still infected. You are dealing with a flashdrive infection, so this means that you got reinfected after you have formatted and reinstalled Windows; because you used an infected flashdrive on it. I really hope this isn't Sality here...

First of all... * Please install Avira Antivirus: http://www.free-av.com/

Then insert your infected flashdrive / thumbdrive and leave it inserted so Avira can scan it. Or; even better, format the flashdrive, so you can't get infected through it anymore.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply + a new HijackThislog.

Link to post
Share on other sites

Ok, I ended up doing 2 separate scans, one of the local hard disk and 250GB external, and then another scan for my 1GB thumb drive used during the reinstallation. I noticed that during the scan of the thumb drive, some notifications popped up (around 4 or 5) about some harmful vb scripts on the device. But, before I could fully read and react to them, the scan finished and what you see here is the log for that scan.

------------------------------------------------------------------------------------------------

Avira AntiVir Personal

Report file date: Tuesday, April 14, 2009 11:02

Scanning for 1351911 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : DERRICK-LAPTOP

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 19:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 03:33:26

ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 17:32:39

ANTIVIR3.VDF : 7.1.3.50 235008 Bytes 4/14/2009 17:32:43

Engineversion : 8.2.0.143

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 00:36:42

AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/14/2009 17:32:57

AESCN.DLL : 8.1.1.10 127348 Bytes 4/14/2009 17:32:56

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 01:24:41

AEPACK.DLL : 8.1.3.12 397687 Bytes 4/14/2009 17:32:56

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 03:01:56

AEHEUR.DLL : 8.1.0.116 1708407 Bytes 4/14/2009 17:32:54

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 03:01:56

AEGEN.DLL : 8.1.1.34 340340 Bytes 4/14/2009 17:32:46

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40

AECORE.DLL : 8.1.6.9 176500 Bytes 4/14/2009 17:32:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 14:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 18:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 22:55:12

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, G:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Tuesday, April 14, 2009 11:02

Starting search for hidden objects.

'29803' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'mantispm.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

30 processes with 30 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '46' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\Data1.cab

[0] Archive type: CAB (Microsoft)

--> usa03.ths

[WARNING] The file could not be written!

--> MinionPro_Bold.otf

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\Site Downloads\zaSuiteSetup_80_298_035_en.exe

[0] Archive type: ZIP SFX (self extracting)

--> SWITCHUNINST_44ZONE LABS.EXE

[1] Archive type: RSRC

--> WINDOWS6.0-KB929547-V2-X64.MSU

[1] Archive type: CAB (Microsoft)

--> Windows6.0-KB929547-v2-x64.cab

[WARNING] No further files can be extracted from this archive. The archive will be closed

Begin scan in 'D:\'

Search path D:\ could not be opened!

System error [1005]: The volume does not contain a recognized file system.

Begin scan in 'G:\' <DaeDaeK (250GB)>

End of the scan: Tuesday, April 14, 2009 11:42

Used time: 40:00 Minute(s)

The scan has been done completely.

2393 Scanned directories

183348 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

183346 Files not concerned

1011 Archives were scanned

6 Warnings

2 Notes

29803 Objects were scanned with rootkit scan

0 Hidden objects were found

------------------------------------------------------------------------------------------------

Avira AntiVir Personal

Report file date: Tuesday, April 14, 2009 12:39

Scanning for 1351911 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : Derrick

Computer name : DERRICK-LAPTOP

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 19:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 03:33:26

ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 17:32:39

ANTIVIR3.VDF : 7.1.3.50 235008 Bytes 4/14/2009 17:32:43

Engineversion : 8.2.0.143

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 00:36:42

AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/14/2009 17:32:57

AESCN.DLL : 8.1.1.10 127348 Bytes 4/14/2009 17:32:56

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 01:24:41

AEPACK.DLL : 8.1.3.12 397687 Bytes 4/14/2009 17:32:56

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 03:01:56

AEHEUR.DLL : 8.1.0.116 1708407 Bytes 4/14/2009 17:32:54

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 03:01:56

AEGEN.DLL : 8.1.1.34 340340 Bytes 4/14/2009 17:32:46

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40

AECORE.DLL : 8.1.6.9 176500 Bytes 4/14/2009 17:32:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 14:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 18:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 22:55:12

Configuration settings for the scan:

Jobname.............................: Removable Drives

Configuration file..................: c:\program files\avira\antivir desktop\rmdiscs.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: F:, E:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Tuesday, April 14, 2009 12:39

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'mantispm.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'zlclient.exe' - '0' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned

Scan process 'vsmon.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

30 processes with 30 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '46' files ).

Starting the file scan:

Begin scan in 'F:\' <DAEDAEK_1GB>

F:\zlsSetup_80_298_000_en.exe

[0] Archive type: ZIP SFX (self extracting)

--> SWITCHUNINST_44ZONE LABS.EXE

[1] Archive type: RSRC

--> WINDOWS6.0-KB929547-V2-X64.MSU

[1] Archive type: CAB (Microsoft)

--> Windows6.0-KB929547-v2-x64.cab

[WARNING] No further files can be extracted from this archive. The archive will be closed

Begin scan in 'E:\' <TheFrozenThrone>

End of the scan: Tuesday, April 14, 2009 12:41

Used time: 01:42 Minute(s)

The scan has been done completely.

15 Scanned directories

11976 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

11976 Files not concerned

77 Archives were scanned

1 Warnings

0 Notes

------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:18:53 PM, on 4/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GSPI

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\GSPI412.vbs

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\Derrick\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\RunServices: [MSConfig] C:\WINDOWS\GSPI412.vbs

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 3988 bytes

Link to post
Share on other sites

I realized that the infection I saw earlier was detected by AtiVir Guard

4/14/2009,10:27:26 ---------------------------------------------------------

4/14/2009,10:27:29 Keyfile contains a valid license. The Avira AntiVir Personal - Free Antivirus will run as a fully functional version!

4/14/2009,10:27:29 AntiVir Guard version: 9.00.01.26,engine version 8.2.0.100,VDF version: 7.1.2.127

4/14/2009,10:27:30 AntiVir Guard was enabled.

4/14/2009,10:27:30 Avira AntiVir Personal - Free Antivirus has been started successfully!

4/14/2009,10:27:30 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Files to scan: Use file extension list: . .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .XXX .ZIP

- Device mode: scan files on open, scan files on close

- Actions: ask the user

- Scan archive: Disabled

- Heuristic: Enabled

- Win32 file heuristic: Medium detection level

- Logfile report level Default

4/14/2009,10:33:12 Update process started!

4/14/2009,10:33:16 Current Engine Version: 8.2.0.143

4/14/2009,10:33:16 Current Pattern File: 7.1.3.50

4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-123942-6A162BCA\AVSCAN-00000003.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,12:41:01 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus!

F:\GSPI410.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus!

F:\GSPI412.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-123942-6A162BCA\AVSCAN-00000002.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,13:08:24 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus!

F:\GSPI410.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,13:08:25 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus!

F:\GSPI412.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,13:08:25 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-130753-D2D8D7A5\AVSCAN-00000003.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

4/14/2009,13:08:24 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-130753-D2D8D7A5\AVSCAN-00000002.vbs

[uSER] NT AUTHORITY\SYSTEM

[iNFO] No right to access the file.

Link to post
Share on other sites

  • Staff

Hi,

This is the one that needs to get removed from the Thumbdrive: GSPI410.vbs

But since you said you've formatted it, it should be gone now. However, do not use the clean thumbdrive on the infected computer now;, because we still have to clean the infected computer, otherwise it will infect the clean thumbdrive again and vice versa.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Here is the log after running ComboFix.

ComboFix 09-04-15.08 - Derrick 04/15/2009 0:26.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.681 [GMT -7:00]

Running from: c:\documents and settings\Derrick\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)

FW: ZoneAlarm Security Suite Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))

.

2009-04-15 01:01 . 2009-04-15 01:01 -------- d-----w c:\program files\PCSpim

2009-04-15 00:50 . 2009-04-15 00:50 64776 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-04-15 00:50 . 2009-04-15 00:50 -------- d-----w c:\windows\system32\XPSViewer

2009-04-15 00:50 . 2009-04-15 00:50 -------- d-----w c:\program files\MSBuild

2009-04-15 00:49 . 2009-04-15 00:49 -------- d-----w c:\program files\Reference Assemblies

2009-04-15 00:48 . 2009-04-15 00:49 -------- d-----w C:\8a199e51b6c76bb1c403a8

2009-04-15 00:48 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-15 00:48 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-15 00:48 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll

2009-04-15 00:48 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll

2009-04-15 00:48 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll

2009-04-15 00:48 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll

2009-04-15 00:48 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-14 22:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-14 22:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-14 22:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-14 22:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-14 22:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-14 22:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-14 22:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-14 22:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-14 22:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-14 22:52 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb

2009-04-14 22:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-14 22:52 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-04-14 17:26 . 2009-02-13 18:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-04-14 17:26 . 2009-04-14 17:26 -------- d-----w c:\program files\Avira

2009-04-14 17:26 . 2009-04-14 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-04-14 17:22 . 2009-04-14 17:22 -------- d--h--w c:\windows\system32\GroupPolicy

2009-04-14 00:25 . 2009-04-14 00:26 -------- d-----w c:\program files\Xming

2009-04-13 21:38 . 2009-04-13 21:38 -------- d-----w c:\program files\Trend Micro

2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\documents and settings\Derrick\Application Data\Malwarebytes

2009-04-13 18:57 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-13 18:57 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-13 15:28 . 2009-04-13 15:29 -------- d-----w c:\documents and settings\Derrick\Application Data\vlc

2009-04-13 08:15 . 2009-04-14 00:30 -------- d-----w c:\documents and settings\Derrick\Application Data\SSH

2009-04-13 08:14 . 2009-04-13 08:14 -------- d-----w c:\program files\SSH Communications Security

2009-04-13 07:26 . 2009-04-13 07:26 -------- d-----w c:\program files\VideoLAN

2009-04-13 07:19 . 2009-04-13 07:19 -------- d-----w c:\documents and settings\Derrick\Application Data\FastStone

2009-04-13 07:19 . 2009-04-13 07:19 -------- d-----w c:\program files\FastStone Image Viewer

2009-04-13 06:37 . 2009-04-13 07:23 -------- d-----w c:\program files\StealthBot

2009-04-13 06:26 . 2009-04-13 06:26 -------- d-----w c:\program files\CONEXANT

2009-04-13 06:19 . 2009-04-13 06:20 -------- d-----w c:\documents and settings\Derrick\Local Settings\Application Data\Adobe

2009-04-13 06:06 . 2009-04-13 06:06 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-04-13 06:04 . 2009-04-13 06:05 -------- d-----w c:\program files\Common Files\Adobe

2009-04-13 05:38 . 2009-04-13 06:15 77740 ----a-w c:\windows\War3Unin.dat

2009-04-13 05:38 . 2009-04-13 05:50 2829 ----a-w c:\windows\War3Unin.pif

2009-04-13 05:38 . 2009-04-13 05:50 139264 ----a-w c:\windows\War3Unin.exe

2009-04-13 05:33 . 2009-04-15 03:06 -------- d-----w c:\program files\Warcraft III

2009-04-13 05:13 . 2008-04-13 18:45 6272 -c--a-w c:\windows\system32\dllcache\splitter.sys

2009-04-13 05:13 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys

2009-04-13 05:13 . 2008-04-13 19:17 83072 -c--a-w c:\windows\system32\dllcache\wdmaud.sys

2009-04-13 05:13 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys

2009-04-13 05:13 . 2008-04-13 18:45 52864 -c--a-w c:\windows\system32\dllcache\dmusic.sys

2009-04-13 05:13 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\DMusic.sys

2009-04-13 05:13 . 2008-04-13 18:45 56576 -c--a-w c:\windows\system32\dllcache\swmidi.sys

2009-04-13 05:13 . 2008-04-13 18:45 56576 ----a-w c:\windows\system32\drivers\swmidi.sys

2009-04-13 05:13 . 2008-04-13 16:39 142592 -c--a-w c:\windows\system32\dllcache\aec.sys

2009-04-13 05:13 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys

2009-04-13 05:13 . 2008-04-13 18:45 172416 -c--a-w c:\windows\system32\dllcache\kmixer.sys

2009-04-13 05:13 . 2008-04-13 18:45 172416 ----a-w c:\windows\system32\drivers\kmixer.sys

2009-04-13 05:10 . 2009-04-13 05:10 -------- d-----w c:\program files\ATI Technologies

2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\NetworkService\Application Data\Intel

2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\LocalService\Application Data\Intel

2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\Derrick\Application Data\Intel

2009-04-13 04:58 . 2009-04-13 04:58 21425 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-04-13 04:58 . 2009-04-13 04:58 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intel

2009-04-13 04:58 . 2009-04-13 04:58 -------- d-----w c:\documents and settings\All Users\Application Data\Intel

2009-04-13 04:57 . 2007-02-12 18:41 2732032 ----a-w c:\windows\system32\Netw2r32.dll

2009-04-13 04:57 . 2007-02-12 18:40 557056 ----a-w c:\windows\system32\Netw2c32.dll

2009-04-13 04:57 . 2007-02-08 20:51 2209408 ----a-w c:\windows\system32\drivers\w29n51.sys

2009-04-13 04:57 . 2009-04-13 04:57 -------- dc----w c:\windows\system32\DRVSTORE

2009-04-13 04:57 . 2009-04-13 04:57 -------- d-----w c:\program files\Intel

2009-04-13 04:42 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys

2009-04-13 04:42 . 2009-02-20 08:10 666112 -c----w c:\windows\system32\dllcache\wininet.dll

2009-04-13 04:42 . 2009-02-20 08:10 619520 -c----w c:\windows\system32\dllcache\urlmon.dll

2009-04-13 04:42 . 2009-03-02 23:04 1499136 -c----w c:\windows\system32\dllcache\shdocvw.dll

2009-04-13 04:41 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe

2009-04-13 04:41 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe

2009-04-13 04:41 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe

2009-04-13 04:41 . 2009-02-08 02:02 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe

2009-04-13 04:41 . 2009-02-20 08:11 3068416 -c----w c:\windows\system32\dllcache\mshtml.dll

2009-04-13 04:41 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys

2009-04-13 04:41 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys

2009-04-13 04:41 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys

2009-04-13 04:41 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll

2009-04-13 04:41 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll

2009-04-13 04:41 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll

2009-04-13 04:41 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll

2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\scripting

2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\l2schemas

2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\en

2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\bits

2009-04-13 04:25 . 2009-04-13 04:29 -------- d-----w c:\windows\ServicePackFiles

2009-04-13 04:13 . 2009-04-13 04:13 -------- d-----w c:\windows\system32\LogFiles

2009-04-13 04:06 . 2004-08-04 12:00 9585 -c----w c:\windows\system32\dllcache\controls.css

2009-04-13 04:06 . 2004-08-04 12:00 6878 -c----w c:\windows\system32\dllcache\controls.js

2009-04-13 04:06 . 2004-08-04 12:00 381425 -c----w c:\windows\system32\dllcache\copycd.wmv

2009-04-13 04:06 . 2004-07-18 05:55 129045 ------w c:\windows\system32\drivers\cxthsfs2.cty

2009-04-13 04:06 . 2004-08-04 12:00 8298 -c----w c:\windows\system32\dllcache\contents.htm

2009-04-13 04:06 . 2004-08-04 12:00 773 -c----w c:\windows\system32\dllcache\cnth.gif

2009-04-13 04:06 . 2004-08-04 12:00 773 -c----w c:\windows\system32\dllcache\cnt.gif

2009-04-13 04:06 . 2004-08-04 12:00 772 -c----w c:\windows\system32\dllcache\cntd.gif

2009-04-13 04:06 . 2004-08-04 12:00 760 -c----w c:\windows\system32\dllcache\cloapph.gif

2009-04-13 04:06 . 2004-08-04 12:00 717 -c----w c:\windows\system32\dllcache\cloapp.gif

2009-04-13 04:06 . 2004-08-04 12:00 999 -c----w c:\windows\system32\dllcache\bktrh.gif

2009-04-13 04:05 . 2009-04-14 20:49 1113 ----a-w C:\rollback.ini

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-15 07:28 . 2009-04-13 03:43 14052896 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-04-15 07:28 . 2009-04-13 03:43 14052896 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-04-15 07:22 . 2009-04-13 03:44 13104 ----a-w c:\documents and settings\Derrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-15 03:04 . 2009-04-13 03:43 171440 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-04-13 08:20 . 2009-04-13 14:56 251904 ----a-w c:\windows\Internet Logs\xDB1.tmp

2009-04-13 08:14 . 2009-04-13 03:48 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-13 05:12 . 2009-04-13 05:12 -------- d-----w c:\program files\SigmaTel

2009-04-13 05:12 . 2009-04-13 03:47 -------- d-----w c:\program files\Common Files\InstallShield

2009-04-13 04:39 . 2009-04-13 03:41 4212 ---ha-w c:\windows\system32\zllictbl.dat

2009-04-13 04:32 . 2009-04-13 03:24 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-04-13 04:22 . 2004-08-04 12:00 250048 --sha-r C:\ntldr

2009-04-13 03:47 . 2009-04-13 03:47 -------- d-----w c:\program files\Broadcom

2009-04-13 03:43 . 2009-04-13 03:43 -------- d-----w c:\documents and settings\Derrick\Application Data\MailFrontier

2009-04-13 03:38 . 2009-04-13 03:38 -------- d-----w c:\program files\Zone Labs

2009-04-13 03:25 . 2009-04-13 03:25 -------- d-----w c:\program files\microsoft frontpage

2009-04-13 03:21 . 2009-04-13 03:21 21640 ----a-w c:\windows\system32\emptyregdb.dat

2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll

2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll

2009-02-16 07:10 . 2009-04-13 03:41 72584 ----a-w c:\windows\zllsputility.exe

2009-02-16 07:10 . 2009-04-13 03:40 1221512 ----a-w c:\windows\system32\zpeng25.dll

2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe

2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSConfig - c:\windows\GSPI412.vbs

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Derrick\Application Data\Mozilla\Firefox\Profiles\ulb1e6i1.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-15 00:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-04-15 0:29

ComboFix-quarantined-files.txt 2009-04-15 07:29

Pre-Run: 52,533,067,776 bytes free

Post-Run: 52,552,151,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-04-14 23:10

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again. Avira already deleted the files anyway. Next malwarebytes update will also detect and remove this variant now.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.