Jump to content

Trojan & Malware


Recommended Posts

I had a fake XP security system virus so I downloaded Malware and got rid of most of it, except for a trojan system32\uacinit.dll and a rookit virus. I downloaded combofix to solve that problem and my Malware now says I'm virus free, but my Mozilla Firefox keeps crashing the same way it did when I had the viruses. Here is my combofix log and my Malware log after I ran combofix. Thanks for your help.

ComboFix 09-08-29.01 - Neshka 08/30/2009 9:40.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.360 [GMT -4:00]

Running from: c:\documents and settings\Neshka\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090829-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\run.log

c:\windows\system32\drivers\kbiwkmmnntdoju.sys

c:\windows\system32\drivers\UACunjhstxqwi.sys

c:\windows\system32\kbiwkmnjysxrxg.dat

c:\windows\system32\kbiwkmuhhnkyvj.dll

c:\windows\system32\kbiwkmwgoseiep.dll

c:\windows\system32\kbiwkmydkqbpwm.dat

c:\windows\system32\UACabmgigeahe.dat

c:\windows\system32\UACclymkdoouk.db

c:\windows\system32\UACiqkcjmkebp.dll

c:\windows\system32\UACnbawnelall.dll

c:\windows\system32\UACvqualrcxyu.dll

c:\windows\system32\UACwhfjdnaeaq.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmntlaquxs

-------\Legacy_kbiwkmntlaquxs

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))

.

2009-08-30 00:52 . 2009-08-30 00:52 -------- d-----w- c:\documents and settings\Neshka\Application Data\Malwarebytes

2009-08-30 00:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-30 00:38 . 2009-08-30 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-30 00:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-30 00:17 . 2009-08-30 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 18:58 . 2009-08-29 18:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-08-29 18:57 . 2009-08-29 20:08 -------- d-----w- c:\documents and settings\Neshka\Application Data\skypePM

2009-08-29 18:56 . 2009-08-30 01:31 -------- d-----w- c:\documents and settings\Neshka\Application Data\Skype

2009-08-29 18:55 . 2009-08-29 18:55 -------- d-----w- c:\program files\Common Files\Skype

2009-08-29 18:55 . 2009-08-29 18:55 -------- d-----r- c:\program files\Skype

2009-08-29 18:54 . 2009-08-29 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-08-16 19:54 . 2009-06-25 08:44 133632 -c----w- c:\windows\system32\dllcache\msv1_0.dll

2009-08-16 19:54 . 2009-06-22 11:34 92544 -c----w- c:\windows\system32\dllcache\ksecdd.sys

2009-08-16 19:54 . 2009-06-25 08:44 59392 -c----w- c:\windows\system32\dllcache\wdigest.dll

2009-08-16 19:54 . 2009-06-25 08:44 298496 -c----w- c:\windows\system32\dllcache\kerberos.dll

2009-08-13 17:15 . 2009-06-12 11:50 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-13 17:14 . 2009-06-12 11:50 76288 -c----w- c:\windows\system32\dllcache\telnet.exe

2009-08-13 12:25 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-08-06 14:55 . 2009-08-25 15:55 -------- d-----w- c:\documents and settings\Neshka\Application Data\Prism

2009-08-06 14:55 . 2009-08-06 14:55 -------- d-----w- c:\documents and settings\All Users\Prism

2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 22:15 . 2008-07-02 20:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-19 22:15 . 2008-06-23 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-19 22:15 . 2008-06-23 11:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-05 09:11 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-05 17:09 . 2009-07-05 17:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-05 17:09 . 2009-07-05 17:09 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-06-29 16:12 . 2006-06-23 15:33 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 18:36 . 2003-03-31 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2003-03-31 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2003-03-31 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2003-03-31 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2003-03-31 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2003-03-31 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2003-03-31 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2003-03-31 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2003-03-31 12:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2003-03-31 12:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2003-03-31 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:44 . 2003-03-31 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2003-03-31 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2003-03-31 12:00 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2003-03-31 12:00 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2003-03-31 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-22 11:49 . 2003-03-31 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2003-03-31 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2003-03-31 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2003-03-31 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-22 11:34 . 2003-03-31 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 11:50 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 07:42 . 2006-06-24 03:59 655872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2003-03-31 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2007-03-28 03:42 . 2007-03-28 03:43 774144 ----a-w- c:\program files\RngInterstitial.dll

2008-11-13 02:15 . 2008-11-13 02:07 80 --sh--r- c:\windows\system32\D02E93BC50.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY" [X]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-01-23 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-01-23 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]

"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]

"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-06-01 192512]

"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]

"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]

"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]

"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-06-06 69632]

"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]

"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]

"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]

"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-19 2007832]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

c:\documents and settings\Neshka\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-5-31 577597]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-5 53317]

Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-16 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-19 22:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/8/2009 12:22 AM 114768]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/23/2008 7:41 AM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/23/2008 7:41 AM 108552]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/8/2009 12:22 AM 20560]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 4:58 PM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 4:58 PM 297752]

S1 mailKmd;mailKmd; [x]

S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [6/24/2006 12:26 AM 2343]

.

Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-30 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-02 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.theglobeandmail.com/

uInternet Settings,ProxyServer = webproxy.queensu.ca:8080

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Neshka\Application Data\Mozilla\Firefox\Profiles\p2gnfkuk.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-30 09:52

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2009-08-30 9:57

ComboFix-quarantined-files.txt 2009-08-30 13:56

Pre-Run: 6,287,732,736 bytes free

Post-Run: 7,549,968,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

214 --- E O F --- 2009-08-26 19:41

Malware log

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 2

8/30/2009 10:20:06 AM

mbam-log-2009-08-30 (10-20-06).txt

Scan type: Quick Scan

Objects scanned: 85138

Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi and welcome to the forum! :)

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?

2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs

3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

* Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.

* Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.

* Using these other tools often makes the cleanup task more difficult and time consuming.

* If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.

* Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.

* There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

* NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.