Jump to content

Trojan.Metajuan Rootkit.Trace Trojan.Agent


Recommended Posts

Hi,

This appears to be the only forum that has shown to help with similar problems.

Compaq Presario Windows XP Home Edition, 2002 SP3

I have Malwarebytes that cleaned up some other problems then purchased Norton Antivirus thinking that would fix everything, but no.

Malwarebytes found Rootkit.Trace and Trojan.Agent, but cannot get rid of them. Norton found Trojan.Metajuan but just says get help. Their help says to erase registry entry and registry subkey entries that do no show up when I look for them.

Thanks for your help...

Steve McCain

Log text from both tools shown below:

Malwarebytes' Anti-Malware 1.34

Database version: 1849

Windows 5.1.2600 Service Pack 3

8/20/2009 6:58:47 PM

mbam-log-2009-08-20 (18-58-37).txt

Scan type: Quick Scan

Objects scanned: 80936

Time elapsed: 18 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

NORTON........

Category: Intrusion Prevention

Date & Time,Severity,Activity,Status,Recommended Action,Category

8/20/2009 7:01 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention

8/20/2009 7:01 PM,Info,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090810.001,Detected,No Action Required,Intrusion Prevention

8/20/2009 7:01 PM,Info,Intrusion Prevention is monitoring 1384 signatures. Driver version: 9.0.5.23,Detected,No Action Required,Intrusion Prevention

8/19/2009 11:03 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention

8/19/2009 11:03 PM,Info,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090810.001,Detected,No Action Required,Intrusion Prevention

8/19/2009 11:03 PM,Info,Intrusion Prevention is monitoring 1384 signatures. Driver version: 9.0.5.23,Detected,No Action Required,Intrusion Prevention

8/19/2009 10:40 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention

8/19/2009 10:40 PM,Info,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090810.001,Detected,No Action Required,Intrusion Prevention

8/19/2009 10:40 PM,Info,Intrusion Prevention is monitoring 1384 signatures. Driver version: 9.0.5.23,Detected,No Action Required,Intrusion Prevention

8/19/2009 9:58 PM,Info,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090810.001,Detected,No Action Required,Intrusion Prevention

8/19/2009 9:58 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention

8/19/2009 9:58 PM,Info,Intrusion Prevention is monitoring 1384 signatures. Driver version: 9.0.5.23,Detected,No Action Required,Intrusion Prevention

8/19/2009 7:46 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention

8/19/2009 7:46 PM,Info,Intrusion Prevention Engine version: 4.1.0.61 Definitions Set version: 20090206.001,Detected,No Action Required,Intrusion Prevention

8/19/2009 7:46 PM,Info,Intrusion Prevention is monitoring 1319 signatures. Driver version: 9.0.3.10,Detected,No Action Required,Intrusion Prevention

Category: Resolved Security Risks

Date & Time,Severity,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State

8/20/2009 7:04 PM,Low,Tracking Cookie detected by Virus scanner,Removed,Resolved - No Action,Virus scanner,2009.08.19.021,109.1.0.61,Tracking Cookie,Cookie,File Based,Fully removed

8/19/2009 9:42 PM,Low,iProtectYou detected by Virus scanner,Ignored,Resolved - No Action,Virus scanner,2009.08.19.021,109.1.0.61,iProtectYou,Parental Control,File Based,Removal not attempted

8/19/2009 9:33 PM,Low,Tracking Cookie detected by Virus scanner,Removed,Resolved - No Action,Virus scanner,2009.08.19.021,109.1.0.61,Tracking Cookie,Cookie,File Based,Fully removed

Category: Scan Results

Date & Time,Severity,Activity,Status,Task Name,Scan Time,Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Virus,Cookie,Total Security Risks Resolved,Cookie Resolved,Total Security Risks Requiring Attention,Virus Unresolved,Parental Control,Virus Resolved,Parental Control Unresolved

8/20/2009 7:04 PM,Info,Quick Scan results,Completed,Quick Scan,0:00:02:47 (d:h:m:s),"5,784",824,263,"2,313","2,379",5,0,0,2,1,1,1,1,1,1,,,

8/19/2009 10:24 PM,Info,Full System Scan results,Completed,Full System Scan,0:00:14:06 (d:h:m:s),"92,087","82,657",361,"2,230","6,833",6,0,0,2,1,,1,,1,,1,1,1

8/19/2009 9:57 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:15 (d:h:m:s),"3,482",853,263,"2,235",36,95,0,0,1,1,,0,,1,1,,,

8/19/2009 9:39 PM,Info,Quick Scan results,Completed,Quick Scan,0:00:01:31 (d:h:m:s),"5,714",832,263,"1,987","2,627",5,0,0,2,1,1,2,1,0,,,1,

Category: Unresolved Security Risks

Date & Time,Severity,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State

8/20/2009 7:04 PM,High,Trojan.Metajuan detected by Virus scanner,Attention Required,Remove this Security Risk now.,Virus scanner,2009.08.19.021,109.1.0.61,Trojan.Metajuan,Virus,File Based,Removal failed

Category: Errors

Date & Time,Severity,Activity,Status,Recommended Action,Error Time,User Name,Error ID,Module ID,Feature,Error Code,Product Version,Product Name,Error Description,Computer Name

8/19/2009 10:50 PM,Medium,SONAR Advanced Protection failed to load.,Error,Find more information on the Symantec website,"Wednesday, August 19, 2009 10:50 PM",Compaq_Owner,1,3039,SONAR,0x00000000,16.5.0.134,Norton AntiVirus,SONAR Advanced Protection failed to load.,YOUR-D0F670B45A

8/19/2009 7:56 PM,Medium,SONAR Advanced Protection failed to load.,Error,Find more information on the Symantec website,"Wednesday, August 19, 2009 7:56 PM",Compaq_Owner,1,3039,SONAR,0x00000000,16.5.0.134,Norton AntiVirus,SONAR Advanced Protection failed to load.,YOUR-D0F670B45A

8/19/2009 7:46 PM,Medium,Norton AntiVirus A required service or driver did not load. Norton Insight will not display signature or trust level.,Error,Find more information on the Symantec website,"Wednesday, August 19, 2009 7:46 PM",SYSTEM,10,5018,,0x00000001,16.5.0.134,Norton AntiVirus,Norton AntiVirus A required service or driver did not load. Norton Insight will not display signature or trust level.,YOUR-D0F670B45A

Category: Norton Community Watch

Date & Time,Severity,Activity,Status,Recommended Action,Date Updated,Submitted By,Description,Submission Details

8/20/2009 7:04 PM,Info,Statistical Submission: Trojan.Metajuan,Processing,No Action Required,"Thursday, August 20, 2009 7:04 PM",Norton AntiVirus,Statistical Submission: Trojan.Metajuan,"globalroot\systemroot\system32\uacmvheexnqwe.dll Detection Digest: 02 00 EA AF 01 01 01 00 00 B7 E9 9E 5D 39 BD D3 ............]9.. BC 28 29 25 1F 4E F4 86 DD 00 00 00 00 52 2B F7 .()%.N.......R+. F7 BA 80 6A 1B 00 00 00 00 31 3D 4E C9 ...j.....1=N. "

8/19/2009 10:27 PM,Info,IPS Detection Statistical Submission,Processing,No Action Required,"Wednesday, August 19, 2009 10:27 PM",Norton AntiVirus,IPS Detection Statistical Submission,"Signature ID: 23318 Local or Remote Attacker: 1 Remote Port: 1718 Local Port: 80 Protocol: 6 Signature Set Version: 20090810.001 Application Name: \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\COPY OF MBAM.EXE Offending URL: mbam-cdn.malwarebytes.org/program/mbam-setup.exe Date Detected: Thu, 20 Aug 2009 05:27:46 GMT Application File Checksum: 993BCFAF8926927D79AFB11D502B5F6D Application File Information: 1.34.0.0 Network Data: 4E444341040100003D00000003000001010000000200000001000300165B00005410010000010300

0600000017000B00524551554553545F5552492F70726F6772616D2F6D62616D2D73657475702E65

7

86500010C000600000019001300524551554553545F4845414445525F484F53546D62616D2D63646

E

2E6D616C7761726562797465732E6F726700010E000600000000000E00524551554553545F504152

4

14D534D5A Sub-signature ID: 69716 Remote Address: 208.111.148.7 "

8/19/2009 9:57 PM,Info,Statistical Submission: Trojan.Metajuan,Processing,No Action Required,"Wednesday, August 19, 2009 9:57 PM",Norton AntiVirus,Statistical Submission: Trojan.Metajuan,"globalroot\systemroot\system32\uacmvheexnqwe.dll Detection Digest: 02 00 EA AF 01 01 01 00 00 B7 E9 9E 5D 39 BD D3 ............]9.. BC 28 29 25 1F 4E F4 86 DD 00 00 00 00 52 2B F7 .()%.N.......R+. F7 BA 80 6A 1B 00 00 00 00 31 3D 4E C9 ...j.....1=N. "

8/19/2009 9:42 PM,Info,Statistical Submission: Trojan.Metajuan,Processing,No Action Required,"Wednesday, August 19, 2009 9:42 PM",Norton AntiVirus,Statistical Submission: Trojan.Metajuan,"globalroot\systemroot\system32\uacmvheexnqwe.dll Detection Digest: 02 00 EA AF 01 01 01 00 00 B7 E9 9E 5D 39 BD D3 ............]9.. BC 28 29 25 1F 4E F4 86 DD 00 00 00 00 52 2B F7 .()%.N.......R+. F7 BA 80 6A 1B 00 00 00 00 31 3D 4E C9 ...j.....1=N. "

8/19/2009 9:28 PM,Info,Statistical Submission: Trojan.Metajuan Removal Failed,Processing,No Action Required,"Wednesday, August 19, 2009 9:28 PM",Norton AntiVirus,Statistical Submission: Trojan.Metajuan Removal Failed,"globalroot\systemroot\system32\uacmvheexnqwe.dll Detection Digest: 02 00 EA AF 01 01 01 00 00 B7 E9 9E 5D 39 BD D3 ............]9.. BC 28 29 25 1F 4E F4 86 DD 00 00 00 00 52 2B F7 .()%.N.......R+. F7 BA 80 6A 1B 00 00 00 00 31 3D 4E C9 ...j.....1=N. "

8/19/2009 9:28 PM,Info,Statistical Submission: Trojan.Metajuan,Processing,No Action Required,"Wednesday, August 19, 2009 9:28 PM",Norton AntiVirus,Statistical Submission: Trojan.Metajuan,"globalroot\systemroot\system32\uacmvheexnqwe.dll Detection Digest: 02 00 EA AF 01 01 01 00 00 B7 E9 9E 5D 39 BD D3 ............]9.. BC 28 29 25 1F 4E F4 86 DD 00 00 00 00 52 2B F7 .()%.N.......R+. F7 BA 80 6A 1B 00 00 00 00 31 3D 4E C9 ...j.....1=N. "

8/19/2009 7:46 PM,Info,Norton Community Watch Submission,Processing,No Action Required,"Wednesday, August 19, 2009 7:46 PM",Norton AntiVirus,Norton Community Watch Submission,"This submission indicates that you chose to participate in Norton Community Watch. It contains: Submission Type: 1 File System Type: NTFS, FAT32, NTFS "

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion and Program version is way outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hello Mieke,

Thanks for the reply.

Step 1 did not work. Checking for updates looked like it downloaded something, but did not install anything.

Step 2 - the link http://www.gt500.org/malwarebytes/database.jsp you privided to download the database appears to be a broken link. I found a similar link on the gt500 to download mbam-rules.exe which I did. But then attempting to run MBAM would not work, "The database you are using is not supported by this version of Malwarebytes' Anti-Malware. Then I download the latest version of the MBAM program. I attempted to download the latest version from the gt500 site, but the install stalls mid way through Extracting files... and I have to kill the install with ctrl-alt-del.

Hope your day went better,

Steve

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hello Mieke...

I downloaded ComboFix. The red tiger icon is on my desktop. However, I could not get the program to run. Double clicking causes the Run dialog box to appear, but clicking run causes it to close, then the hourglass cursor icon appears for a few seconds, then just the normal cursor. I tried safe mode as well. I tried renaming the file and it started to run, but an error window popped up saying that renaming was not allowed. No other antivirus programs are running, Windows firewall is disabled.

Steve

Link to post
Share on other sites

OK, made some progress. I downloaded ComboFix again, but renamed it when saved to Combofxx.exe then it ran. Here is the log... (Thanks again for the help)

ComboFix 09-08-22.06 - Compaq_Owner 08/22/2009 20:34.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.188 [GMT -7:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFixx.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

c:\recycler\S-1-5-21-484763869-2025429265-1177238915-1003

c:\windows\Installer\1b1893.a394.msi

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\drivers\Sonyhcp.dll

c:\windows\system32\drivers\UACvmtaaxnqqg.sys

c:\windows\system32\ndisapi.dll

c:\windows\system32\UACblnsejrqmi.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmvheexnqwe.dll

c:\windows\system32\UACtamdieewbn.dll

c:\windows\system32\UACvxdcbfoafw.dat

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_NDISRD

-------\Service_NDISRD

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))

.

2009-08-23 03:13 . 2009-08-23 03:13 -------- d-----w- c:\program files\Unlocker

2009-08-21 05:07 . 2009-08-20 02:45 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-08-21 02:12 . 2009-08-20 02:45 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090820.022\EECTRL.SYS

2009-08-21 02:12 . 2009-08-20 02:45 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090820.022\ERASER.SYS

2009-08-21 02:12 . 2009-08-20 02:45 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090820.022\NAVEX32A.DLL

2009-08-21 02:12 . 2009-08-20 02:45 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090820.022\ECMSVR32.DLL

2009-08-20 02:45 . 2009-08-20 02:45 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll

2009-08-20 02:45 . 2009-08-20 02:45 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll

2009-08-20 02:45 . 2009-08-20 02:45 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll

2009-08-20 02:45 . 2009-08-21 02:11 -------- d-----w- c:\windows\system32\drivers\NAV

2009-08-20 02:45 . 2009-08-20 02:45 -------- d-----w- c:\program files\Norton AntiVirus

2009-08-20 02:45 . 2009-08-20 02:45 -------- d-----w- c:\program files\Windows Sidebar

2009-08-20 02:45 . 2009-08-20 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-20 02:43 . 2009-08-20 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-20 02:43 . 2009-08-20 02:43 -------- d-----w- c:\program files\NortonInstaller

2009-08-18 04:05 . 2009-08-19 00:49 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-17 04:20 . 2009-08-17 04:20 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE

2009-08-17 04:20 . 2009-08-17 04:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-17 04:20 . 2009-08-17 04:20 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache

2009-08-17 04:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-08-17 04:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-17 04:17 . 2009-08-17 04:17 -------- d-----w- c:\windows\ie8updates

2009-08-17 04:17 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-08-17 04:15 . 2009-08-17 04:16 -------- dc-h--w- c:\windows\ie8

2009-08-17 04:06 . 2009-08-17 04:06 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-14 02:52 . 2009-08-14 02:52 -------- d-----w- c:\program files\Common Files\Uninstall

2009-08-12 18:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-23 02:26 . 2006-12-28 23:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-23 02:26 . 2008-03-01 02:38 45316 ----a-w- c:\windows\system32\mssusr.dat

2009-08-22 20:14 . 2009-03-14 22:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-22 19:41 . 2009-08-20 05:26 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-22 02:57 . 2008-08-08 02:55 -------- d-----w- c:\program files\LimeWire

2009-08-21 13:33 . 2008-03-07 03:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-21 02:47 . 2006-12-28 23:31 -------- d-----w- c:\program files\Common Files\Intuit

2009-08-17 04:06 . 2006-12-28 22:58 -------- d-----w- c:\program files\Java

2009-08-16 01:32 . 2006-12-28 23:19 -------- d-----w- c:\program files\HP Games

2009-08-16 01:28 . 2008-08-08 02:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\LimeWire

2009-08-15 17:20 . 2007-03-22 22:05 21840 ----atw- c:\windows\system32\SIntfNT.dll

2009-08-15 17:20 . 2007-03-22 22:05 17212 ----atw- c:\windows\system32\SIntf32.dll

2009-08-15 17:20 . 2007-03-22 22:05 12067 ----atw- c:\windows\system32\SIntf16.dll

2009-08-08 22:11 . 2007-01-03 17:32 -------- d-----w- c:\program files\Starcraft

2009-08-05 09:01 . 2006-12-28 19:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 20:36 . 2009-03-14 22:52 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-25 12:23 . 2009-03-08 01:22 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-20 01:00 . 2007-09-15 00:56 -------- d-----w- c:\program files\Guild Wars

2009-07-17 19:01 . 2006-12-28 21:55 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 14:39 . 2008-07-04 21:00 34 ----a-w- c:\documents and settings\Compaq_Owner\jagex_runescape_preferences.dat

2009-07-14 06:43 . 2006-12-28 19:28 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 19:34 . 2009-08-20 04:58 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys

2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-07-11 19:34 . 2009-08-20 04:58 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys

2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-07-11 19:34 . 2009-08-20 04:58 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\Scxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-07-11 19:34 . 2009-08-20 04:58 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSxpx86.dll

2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-07-11 19:34 . 2009-08-20 04:58 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSviA64.sys

2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-07-03 17:09 . 2006-12-28 19:28 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-02 08:12 . 2009-07-06 00:15 993244 ----a-w- c:\documents and settings\Compaq_Owner\update.dat

2009-07-02 08:11 . 2009-07-06 00:15 782968 ----a-w- c:\documents and settings\Compaq_Owner\game.bin

2009-07-02 08:11 . 2009-07-06 00:15 208384 ----a-w- c:\documents and settings\Compaq_Owner\ikcst.dll

2009-06-25 08:25 . 2006-12-28 19:28 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2006-12-28 19:25 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2006-12-28 19:25 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2006-12-28 19:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2006-12-28 19:22 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2006-12-28 19:22 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-04 11:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2006-12-28 19:27 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2006-12-28 19:22 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-04 11:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2006-12-28 19:23 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2006-12-28 21:55 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2006-12-28 19:28 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2006-12-28 19:24 1291264 ----a-w- c:\windows\system32\quartz.dll

2007-01-08 04:41 . 2007-01-08 04:41 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"ACDaemon"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/19/2009 9:58 PM 276344]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/19/2009 8:02 PM 101936]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SYMEFA.SYS --> c:\windows\system32\drivers\NAV\1005000.086\SYMEFA.SYS [?]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1007020.00A\BHDrvx86.sys [8/20/2009 7:12 PM 259632]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1007020.00A\cchpx86.sys [8/20/2009 7:11 PM 482432]

S2 IntuitUpdateService;Intuit Update Service;"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" --> c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [?]

S2 iymmo;iymmo;c:\windows\system32\drivers\aeaw.sys --> c:\windows\system32\drivers\aeaw.sys [?]

S2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll" /prefetch:1 --> c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [?]

S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010003};PCD5SRVC{8A863ACB-F5F6CC6A-05010003} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2/7/2006 6:38 PM 21120]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

HKLM-Run-PCDrProfiler - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: turbotax.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-22 20:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010003}]

"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1716)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

.

**************************************************************************

.

Completion time: 2009-08-23 20:46 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-23 03:46

Pre-Run: 266,671,943,680 bytes free

Post-Run: 268,015,009,792 bytes free

206 --- E O F --- 2009-08-13 14:36

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

Just one leftover, so go to start > run and copy and paste next command in the field:

sc delete iymmo

Hit enter.

Then,

* Go to start > run and copy and paste next command in the field:

"c:\documents and settings\Compaq_Owner\Desktop\ComboFixx.exe" /u

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

I uninstalled ComboFixx.exe per your instructions. I then uninstalled Malwarebytes and Norton. Installed Malwarebytes & updated it, then did a quick scan. It found and removed Rogue.personalAntivirus, rescanned and found nothing. Then loaded Norton and did a quick scan. It only found & removed some cookies.

I am clean!

Thank you very much. I am impressed.

Steve

Link to post
Share on other sites

  • Staff

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.