Jump to content

Please help with rootkit uacinit.dll infection


kiv
 Share

Recommended Posts

I started having trouble with this thing yesterday; mbam removed a lot of stuff (I had to rename the .exe to run it) but the uacinit.dll persists even after multiple attempts to "delete on reboot". I've seen you folks be so helpful and generous with your time in the past and I really hope y'all can help me clean up as much as possible.

Here's the mbam log:

Malwarebytes' Anti-Malware 1.40

Database version: 2683

Windows 5.1.2600 Service Pack 3

8/23/2009 1:12:16 PM

mbam-log-2009-08-23 (13-12-16).txt

Scan type: Quick Scan

Objects scanned: 96675

Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:17:45 PM, on 8/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKUS\S-1-5-20\..\Run: [posemavogu] Rundll32.exe "C:\WINDOWS\system32\gasesowo.dll",s (User 'NETWORK SERVICE')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe

O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6238B310-FD31-49CF-B962-77F412F642B6}: NameServer = 129.176.171.5,129.176.199.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

  • Staff

Hi kiv and welcome to Malwarebytes.

Please don't put the logs in Quote boxes; that makes it a little harder on the eyes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you for the help!

I had to save ComboFix with a different name in order to get it to run, but then it worked.

ComboFix 09-08-22.06 - Sally 08/23/2009 21:32.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.581 [GMT -5:00]

Running from: c:\documents and settings\Sally\Desktop\Fxx.exe

AV: avast! antivirus 4.8.1351 [VPS 090823-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\run.log

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\drivers\kbiwkmnkjxqjlk.sys

c:\windows\system32\drivers\UACmtrjktvcmc.sys

c:\windows\system32\kbiwkmkamxielt.dll

c:\windows\system32\kbiwkmostdaxlr.dat

c:\windows\system32\kbiwkmovqyhpqt.dat

c:\windows\system32\kbiwkmvebndksj.dll

c:\windows\system32\UACasqugvurrp.dll

c:\windows\system32\UACbqcecwhsex.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkytprimiyp.dll

c:\windows\system32\UACmxbhtckltx.db

c:\windows\system32\UACslsakojngh.dat

c:\windows\system32\UACwhnuxuqrmy.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmmmfukfod

-------\Legacy_kbiwkmmmfukfod

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))

.

2009-08-23 18:17 . 2009-08-23 18:17 -------- d-----w- c:\program files\Trend Micro

2009-08-23 16:42 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-23 16:42 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-23 16:42 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-23 16:42 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-23 16:42 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-23 16:42 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-08-23 16:42 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-23 16:42 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-23 16:42 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-23 16:42 . 2009-08-23 16:42 -------- d-----w- c:\program files\Alwil Software

2009-08-23 16:35 . 2009-08-23 16:35 2 --shatr- c:\windows\winstart.bat

2009-08-23 16:35 . 2009-08-23 17:47 -------- d-----w- c:\program files\UnHackMe

2009-08-12 05:43 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-09 23:05 . 2009-08-09 23:05 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-08-06 19:11 . 2009-08-06 19:11 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-06 19:11 . 2009-08-06 19:11 -------- d-----w- c:\program files\MSBuild

2009-08-06 19:11 . 2009-08-06 19:11 -------- d-----w- c:\program files\Reference Assemblies

2009-08-06 19:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-06 19:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-06 19:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-06 19:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-06 19:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-06 19:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-06 19:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-06 19:10 . 2009-08-06 19:10 -------- d-----w- C:\6c2e73d860b2d4ab95f665b02b

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-03 04:23 . 2009-08-03 05:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer

2009-08-03 04:23 . 2009-08-03 05:58 -------- d-----w- c:\documents and settings\Sally\Application Data\Apple Computer

2009-08-03 04:23 . 2009-08-03 04:23 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\Apple Computer

2009-07-31 17:50 . 2009-07-31 17:50 -------- d-----w- c:\windows\system32\Dell

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-24 02:20 . 2008-05-27 19:50 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8

2009-08-24 01:51 . 2009-08-24 01:54 59392 ----a-w- c:\windows\Internet Logs\xDBD.tmp

2009-08-23 20:29 . 2009-08-23 20:32 2789376 ----a-w- c:\windows\Internet Logs\xDBB.tmp

2009-08-23 20:29 . 2009-08-23 20:32 1795072 ----a-w- c:\windows\Internet Logs\xDBC.tmp

2009-08-23 17:48 . 2009-03-09 17:47 -------- d-----w- c:\program files\Games

2009-08-23 17:45 . 2005-12-18 19:17 -------- d-----w- c:\program files\MUSICMATCH

2009-08-23 07:33 . 2008-11-26 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-23 03:57 . 2009-05-29 18:59 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-23 03:54 . 2008-06-11 23:37 2477528 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2009-08-23 03:48 . 2009-06-26 00:19 -------- d-----w- c:\program files\MUSHclient

2009-08-23 03:48 . 2005-12-28 04:24 -------- d-----w- c:\program files\Trillian

2009-08-23 03:34 . 2009-08-23 03:34 784468 ----a-w- c:\windows\system32\xa.tmp

2009-08-09 23:05 . 2006-01-28 04:44 -------- d-----w- c:\program files\DivX

2009-08-06 19:39 . 2005-12-23 13:56 75592 ----a-w- c:\documents and settings\Sally\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 18:36 . 2008-11-26 01:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-11-26 01:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 20:57 . 2009-08-02 20:58 1740800 ----a-w- c:\windows\Internet Logs\xDBA.tmp

2009-08-02 20:34 . 2006-01-03 20:42 19706 ----a-w- c:\documents and settings\Sally\Application Data\wklnhst.dat

2009-08-02 05:55 . 2009-08-02 05:57 1738752 ----a-w- c:\windows\Internet Logs\xDB9.tmp

2009-07-31 19:48 . 2009-07-31 19:51 1737728 ----a-w- c:\windows\Internet Logs\xDB8.tmp

2009-07-31 17:50 . 2005-12-18 19:14 -------- d-----w- c:\program files\Dell

2009-07-23 19:03 . 2006-11-06 00:14 -------- d-----w- c:\program files\iTunes

2009-07-23 18:45 . 2009-07-23 18:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 18:44 . 2009-07-23 18:44 -------- d-----w- c:\program files\iPod

2009-07-23 18:44 . 2007-08-12 23:42 -------- d-----w- c:\program files\Common Files\Apple

2009-07-23 18:39 . 2009-07-23 18:38 -------- d-----w- c:\program files\QuickTime

2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-03-29 19:05 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2008-10-05 00:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-29 16:12 . 2004-08-10 18:51 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-10 18:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 18:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 18:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 18:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 18:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2004-08-10 19:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-10 18:51 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-28 05:07 . 2009-05-28 05:07 50008 ----a-r- c:\documents and settings\Sally\Application Data\Microsoft\Installer\{342126E1-173C-4585-BFBE-3EBDD20E3E9E}\_6FEFF9B68218417F98F549.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2006-08-26 03:50 . 2005-12-23 13:55 56 --sh--r- c:\windows\system32\128479C5D3.sys

2008-06-29 05:01 . 2008-03-03 00:05 56 --sh--r- c:\windows\system32\F9A69E093C.sys

2008-06-29 05:01 . 2006-01-29 20:54 6058 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-18 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk

backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk

backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sally^Start Menu^Programs^Startup^Last.fm Helper.lnk]

path=c:\documents and settings\Sally\Start Menu\Programs\Startup\Last.fm Helper.lnk

backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sally^Start Menu^Programs^Startup^Palm Registration.lnk]

path=c:\documents and settings\Sally\Start Menu\Programs\Startup\Palm Registration.lnk

backup=c:\windows\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sally^Start Menu^Programs^Startup^palmOne Registration.lnk]

path=c:\documents and settings\Sally\Start Menu\Programs\Startup\palmOne Registration.lnk

backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/23/2009 11:42 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/23/2009 11:42 AM 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

Notify-avgrsstarter - avgrsstx.dll

.

------- Supplementary Scan -------

.

uStart Page = www.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={30CFAB60-B466-43CC-BBF0-17B08EA5A077}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FD

EAC

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: turbotax.com

TCP: {6238B310-FD31-49CF-B962-77F412F642B6} = 129.176.171.5,129.176.199.5

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-23 21:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)

c:\windows\system32\IWPDGINA.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-08-24 21:45

ComboFix-quarantined-files.txt 2009-08-24 02:44

Pre-Run: 19,145,895,936 bytes free

Post-Run: 19,787,878,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

219 --- E O F --- 2009-08-23 19:30

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:44 PM, on 8/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6238B310-FD31-49CF-B962-77F412F642B6}: NameServer = 129.176.171.5,129.176.199.5

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mayo.edu,mfad.mfroot.org

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

In case this is relevant... iexplore.exe no longer starts itself up, which it had been doing before I ran ComboFix, but I still have a ridiculous number of "svchost.exe" listed in Windows Task Manager. Ten at the moment. I don't often look at task manager but it seems strange.

Link to post
Share on other sites

  • Staff
...but I still have a ridiculous number of "svchost.exe" listed in Windows Task Manager. Ten at the moment. I don't often look at task manager but it seems strange.
That is not abnormal. There are always numerous svchost.exe entries listed in Task Manager...

Please try running MBAM, updating it, running a Quick Scan, and posting its log.

-screen317

Link to post
Share on other sites

That is not abnormal. There are always numerous svchost.exe entries listed in Task Manager...

Please try running MBAM, updating it, running a Quick Scan, and posting its log.

-screen317

Ok, thanks for setting my mind at ease about the svchost stuff :lol:

As for MBAM, no malicious items detected! Whee!

Malwarebytes' Anti-Malware 1.40

Database version: 2686

Windows 5.1.2600 Service Pack 3

8/23/2009 11:19:39 PM

mbam-log-2009-08-23 (23-19-39).txt

Scan type: Quick Scan

Objects scanned: 92423

Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Great!

Right click this file, click Edit, then copy and paste the contents here:

c:\windows\winstart.bat

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

Well now I'm not feeling so competent... I had some issues with the first 2 parts of your most recent instructions.

c:\windows\winstart.bat

This file exists but doesn't appear to have anything in it.

File size is 2 bytes and notepad is blank when I edit it.

It's creation and modification date are given as August 23, 2009, 11:35:54 AM (I'm in central time zone).

Next issue was with F-Secure scanner. It ran just fine and found and removed 4 things, but when I clicked to show the report, nothing happened. I waited a while in case it was being slow, tried clicking it a couple more times, still nothing, so here's what little info I got from the summary window.

The 4 infected files which it cleaned up were listed as:

Trojan:W32/Vundo

TrackingCookie. Yieldmanager

A0104781.SYS

A0105783.DLL

Mousing over the first two just said "system" but the last two had the following info:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873\A0105781.SYS

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873\A0105783.SYS

Your security check ran & gave info without problems.

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

avast! Antivirus

ZoneAlarm

avast! updated!

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 5

Java 6 Update 7

Java SE Development Kit 6 Update 5

Java DB 10.3.1.4

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Hi kiv,

Delete this file:

c:\windows\winstart.bat

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Ok, uninstalled and updated stuff as per your instructions above. Things seem to be working just fine :lol:

I ran a full scan with MBAM just in case and it came up clear.

Thank you!!

Malwarebytes' Anti-Malware 1.40

Database version: 2691

Windows 5.1.2600 Service Pack 3

8/24/2009 6:23:58 PM

mbam-log-2009-08-24 (18-23-58).txt

Scan type: Full Scan (C:\|)

Objects scanned: 190973

Time elapsed: 1 hour(s), 8 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Delete SecurityCheck.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.