Jump to content

Recommended Posts

.Hi, new to the forum, and TIA for any help on this problem!

I have a WINXP setup and have the "hijack.windowsupdate" virus. The MBAM quick scan returning the same 2 entries in the Registry Data.

I ran a "GMER scan" and can post the log file along with the MBAM logfile. *Notes: Recent install of a 'personal firewall' after the scans. Recently removed: 'Security Tool' virus. "Vundo" virus and numerous spy/malwares. Incorrect T+D stamp.

1. GMER Scan

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2003-07-22 04:26:47

Windows 5.1.2600 Service Pack 2

Running: 7q4hty9x.exe; Driver: C:\DOCUME~1\MARCIA\LOCALS~1\Temp\pxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE7D4C5A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE7D4B16]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xEE7D50CA]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE7D4FF4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE7D46EC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE7D4BF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE7D462C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE7D4690]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE7D4D10]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xEE7D5198]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE7D4CD0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE7D4E50]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xEE7E14FE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xEE7E1322]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xEE7E145C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 805648A3 5 Bytes JMP EE7DE972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntoskrnl.exe!NtCreateSection 80564B1B 7 Bytes JMP EE7E1326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntoskrnl.exe!ZwCreateProcessEx 805885D3 7 Bytes JMP EE7E1502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A2BF9 5 Bytes JMP EE7DD4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntoskrnl.exe!ZwLoadDriver 805A6B26 7 Bytes JMP EE7E1460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002

IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device BAFA3C8A

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

2. MBAM Log file

Malwarebytes' Anti-Malware 1.44

Database version: 3736

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/22/2003 4:33:34 PM

mbam-log-2003-07-22 (16-33-30).txt

Scan type: Quick Scan

Objects scanned: 194276

Time elapsed: 29 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello zenith and welcome to MalwareBytes forums.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3 IF this system has CD Rom emulation app:

  • Disable CD-ROM Emulation Software DeFogger - Disable
  • Please download the following tool DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
  • IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
  • Do not re-enable these drivers until otherwise instructed.

Step 4

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 5

Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Step 6

Next, see this topic --> http://forums.malwarebytes.org/index.php?showtopic=9573

and do the steps to get & run DDS reports

Step 7

DDS.txt

Attach.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.