Jump to content

Backdoor.Bot and Malware.Trace affecting Registry Keys and Values


Dennix
 Share

Recommended Posts

Hi to everyone, I'm new on here. :)

My name's Dennis.

Glad there's a board like this where people can discuss things and problems related to malware stuff.

First of all I want to say that I'm Italian,that should make up for my English mistakes. Also I've set MBAM language to English in order to make things understandable for everyone on here.

What'Ive been experiencing since last afternoon (yesterday) is really similar to the problem that the user gwennypoo reported on this thread:

http://forums.malwarebytes.org/index.php?s...mp;p=26036&

While surfing on the web, my pc suddenly rebooted (without asking anything to me) so I istantly updated MBAM and performed a full scan.

It seems like my computer has been infected by a Backdoor.Bot and a Malware.Trace which is reported as affecting Registry Keys and one Registry Value

(which really is the same as the user reported in that thread I linked over here, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid )

The fact is that once the scan is completed and I fixed those five "elements" (MBAM says "All selected items removed succesfully", it doesn't even require a reboot), if I redo the scan a minute later the problem keeps on popping up.

I updated and did a scan with both NAV and Spybot - Search & Destroy but they don't seem to detect the problem at all.

I used ComboFix too but the problem is still here. Earlier this morning the PC rebooted itself (without asking to) again.

I'm using Windows XP (Media Center Edition) SP3 with Norton Antivirus/Internet Security 2006,MBAM and Spybot Search& Destroy as tools for removing malwares and viruses.

This is the MBAM most recent log:

Malwarebytes' Anti-Malware 1.44

Database version: 3760

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

19/02/2010 13.03.49

mbam-log-2010-02-19 (13-03-49).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 173407

Time elapsed: 21 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

_______________

While this is the HijackThis Logfile

Trend Micro HijackThis v2.0.2

Scan saved at 13.10.32, on 19/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe

C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe

C:\Programmi\File comuni\Symantec Shared\ccProxy.exe

C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe

C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe

C:\Programmi\File comuni\Symantec Shared\ccApp.exe

C:\apps\ABoard\ABoard.exe

C:\apps\ABoard\AOSD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\explorer.exe

C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe

C:\Programmi\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

C:\Programmi\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mskqyj32.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{1390F166-9B1B-4CA9-8421-CB1416E3CF1A}: NameServer = 212.216.112.222,212.216.172.162

O17 - HKLM\System\CS1\Services\Tcpip\..\{1390F166-9B1B-4CA9-8421-CB1416E3CF1A}: NameServer = 212.216.112.222,212.216.172.162

O17 - HKLM\System\CS2\Services\Tcpip\..\{1390F166-9B1B-4CA9-8421-CB1416E3CF1A}: NameServer = 212.216.112.222,212.216.172.162

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Utilit

Link to post
Share on other sites

  • Staff

Hi,

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\mskqyj32.exe

Select it and click ok:

Then click the Send File button below.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi!

Thanks for the reply

I've sent the file mskqyj32.exe to the site, entering the url of this thread in the first field as you told me.

I've disabled all the firewalls and antivruses and ran ComboFix, this is the log.

Obviously some lines are in Italian, I could try and translate those which aren't clear if you need to.

Thanks again for the support

ComboFix 10-02-18.09 - Steele 19/02/2010 16.07.32.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2046.1368 [GMT 1:00]

Eseguito da: d:\documents and settings\Steele\Desktop\ComboFix.exe

AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((( Files Creati Da 2010-01-19 al 2010-02-19 )))))))))))))))))))))))))))))))))))

.

2010-02-19 11:00 . 2010-02-19 11:00 -------- d-----w- c:\programmi\Trend Micro

2010-02-18 19:34 . 2010-02-18 19:34 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache

2010-02-18 16:01 . 2010-02-19 15:04 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy

2010-02-18 16:01 . 2010-02-18 16:03 -------- d-----w- c:\programmi\Spybot - Search & Destroy

2010-02-14 17:03 . 2010-02-14 17:03 -------- d-----w- c:\programmi\Real

2010-02-14 17:03 . 2010-02-17 17:45 -------- d-----w- c:\programmi\File comuni\Real

2010-02-11 11:43 . 2010-02-12 15:23 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\dvdcss

2010-02-09 14:53 . 2010-02-16 18:02 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\vlc

2010-02-04 16:20 . 2010-02-12 17:17 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\foobar2000

2010-02-04 16:20 . 2010-02-04 16:20 -------- d-----w- c:\programmi\foobar2000

2010-02-02 12:33 . 2010-02-11 11:22 -------- d-----w- d:\documents and settings\Steele\Impostazioni locali\Dati applicazioni\Adobe

2010-02-01 16:37 . 2010-02-01 16:38 -------- d-----w- c:\programmi\Project64 1.6

2010-01-31 22:22 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll

2010-01-31 16:39 . 2010-01-31 16:39 -------- d-----w- c:\programmi\SopCast

2010-01-31 16:20 . 2010-01-31 16:20 -------- d-sh--w- d:\documents and settings\Steele\IECompatCache

2010-01-31 16:19 . 2010-01-31 16:19 -------- d-sh--w- d:\documents and settings\Steele\PrivacIE

2010-01-31 16:16 . 2010-01-31 16:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\l2schemas

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\system32\it

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\system32\bits

2010-01-31 15:34 . 2010-01-31 15:34 -------- d-sh--w- d:\documents and settings\Steele\IETldCache

2010-01-31 15:27 . 2010-01-31 15:27 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\NVIDIA Corporation

2010-01-31 15:27 . 2010-01-31 15:27 -------- d-----w- c:\programmi\NVIDIA Corporation

2010-01-31 15:25 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 15:24 . 2010-01-31 22:27 -------- d-----w- c:\windows\ie8updates

2010-01-31 15:24 . 2009-12-21 19:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-01-31 15:24 . 2009-12-21 19:06 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-01-31 15:24 . 2009-12-21 19:06 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-01-31 15:24 . 2009-12-21 19:06 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-01-31 15:24 . 2009-12-21 19:06 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-31 15:24 . 2009-12-21 19:06 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-01-31 15:22 . 2010-01-31 22:22 -------- d-----w- c:\windows\system32\it-IT

2010-01-31 15:22 . 2010-01-31 15:24 -------- dc-h--w- c:\windows\ie8

2010-01-31 15:18 . 2010-01-31 15:18 -------- d-----w- c:\programmi\Windows Media Connect 2

2010-01-31 15:16 . 2010-01-31 15:17 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-01-31 15:16 . 2010-01-31 15:16 -------- d-----w- c:\windows\system32\LogFiles

2010-01-31 11:48 . 2010-01-31 11:48 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\DivX

2010-01-31 08:17 . 2010-01-31 08:17 -------- d-----w- c:\programmi\MSXML 6.0

2010-01-30 23:39 . 2010-01-31 15:46 -------- d-----w- c:\windows\ServicePackFiles

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-19 15:03 . 2010-01-30 18:03 -------- d-----w- c:\programmi\File comuni\Symantec Shared

2010-02-19 00:01 . 2010-01-30 11:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Soulseek

2010-02-11 09:22 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Norton Internet Security

2010-02-09 20:59 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Symantec

2010-02-07 22:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Symantec

2010-02-07 22:27 . 2010-02-07 22:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-07 22:27 . 2010-02-07 22:27 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-07 22:27 . 2006-09-20 15:40 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-07 22:27 . 2006-09-20 15:40 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-31 16:32 . 2010-01-30 18:10 55304 ----a-w- d:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT

2010-01-31 16:21 . 2004-10-25 18:40 84156 ----a-w- c:\windows\system32\perfc010.dat

2010-01-31 16:21 . 2004-10-25 18:40 489410 ----a-w- c:\windows\system32\perfh010.dat

2010-01-31 15:49 . 2004-10-25 19:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-01-31 08:20 . 2010-01-31 08:20 -------- d-----w- c:\programmi\MSBuild

2010-01-31 08:20 . 2010-01-31 08:20 -------- d-----w- c:\programmi\Reference Assemblies

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\LocalService\Dati applicazioni\X10 Commander

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\SmartSound Software Inc

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\QuickTime

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\InstallShield

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\Administrator\Dati applicazioni\Symantec

2010-01-30 18:10 . 2010-01-30 09:16 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Symantec

2010-01-30 18:10 . 2010-01-30 09:16 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\Symantec

2010-01-30 18:06 . 2010-01-30 18:03 -------- d-----w- c:\programmi\X10 Hardware

2010-01-30 18:05 . 2010-01-30 18:03 -------- d-----w- c:\programmi\ShowTime

2010-01-30 18:05 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Servizi in linea

2010-01-30 18:04 . 2010-01-30 18:03 -------- d-----w- c:\programmi\QuickTime

2010-01-30 14:28 . 2010-01-30 14:28 -------- d-----w- d:\documents and settings\LocalService\Dati applicazioni\DivX

2010-01-30 14:27 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Ulead Systems

2010-01-30 14:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Ulead Systems

2010-01-30 14:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\File comuni\Ulead Systems

2010-01-30 13:42 . 2010-01-30 13:42 -------- d-----w- c:\programmi\DivX

2010-01-30 13:42 . 2010-01-30 13:42 -------- d-----w- c:\programmi\File comuni\DivX Shared

2010-01-30 13:22 . 2010-01-30 13:22 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Malwarebytes

2010-01-30 13:22 . 2010-01-30 13:21 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-01-30 13:21 . 2010-01-30 13:21 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2010-01-30 13:14 . 2010-01-30 13:09 -------- d-----w- c:\programmi\Winamp

2010-01-30 13:11 . 2010-01-30 13:09 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Winamp

2010-01-30 13:06 . 2010-01-30 13:06 1375 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat

2010-01-30 13:06 . 2010-01-30 13:05 130048 ----a-w- c:\windows\system32\SpoonUninstall.exe

2010-01-30 13:06 . 2010-01-30 13:06 2541 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat

2010-01-30 13:06 . 2010-01-30 13:06 2421 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat

2010-01-30 13:06 . 2010-01-30 13:06 2718 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat

2010-01-30 13:05 . 2010-01-30 13:05 2652 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat

2010-01-30 13:05 . 2010-01-30 13:05 17867 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat

2010-01-30 13:05 . 2010-01-30 13:05 -------- d-----w- c:\programmi\Illustrate

2010-01-30 12:58 . 2010-01-30 12:58 -------- d-----w- c:\programmi\Ahead

2010-01-30 12:58 . 2010-01-30 12:58 -------- d-----w- c:\programmi\File comuni\Ahead

2010-01-30 12:31 . 2010-01-30 12:31 0 ----a-w- c:\windows\nsreg.dat

2010-01-30 12:26 . 2010-01-30 12:26 -------- d-----w- c:\programmi\CCleaner

2010-01-30 12:22 . 2010-01-30 12:22 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\X10 Commander

2010-01-30 11:15 . 2010-01-30 11:14 -------- d-----w- c:\programmi\SoulseekNS

2010-01-30 11:15 . 2010-01-30 11:14 -------- d-----w- c:\programmi\eMule

2010-01-30 09:52 . 2010-01-30 09:52 -------- d-----w- c:\programmi\VideoLAN

2010-01-11 21:17 . 2010-01-11 21:17 278120 ----a-w- c:\windows\system32\nvmccs.dll

2010-01-11 21:17 . 2010-01-11 21:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2010-01-11 21:17 . 2010-01-11 21:17 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-01-11 21:17 . 2010-01-11 21:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

2010-01-11 21:17 . 2010-01-11 21:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-01-11 21:17 . 2010-01-11 21:17 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-01-07 15:07 . 2010-01-30 13:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2010-01-30 13:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 19:06 . 2004-10-25 18:39 916480 ------w- c:\windows\system32\wininet.dll

2009-11-21 15:54 . 2004-10-25 18:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]

"eMuleAutoStart"="c:\programmi\eMule\emule.exe" [2009-02-22 5668864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16207872]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]

"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2007-02-22 52840]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

"Symantec PIF AlertEng"="c:\programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-20 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\mskqyj32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Utilit

Link to post
Share on other sites

  • Staff

Hi,

The file you submitted was 0 bytes, so unclear if it was still present, or locked.

Do the following please...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\windows\system32\mskqyj32.exe

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\\windows\\system32\\userinit.exe,"

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

I did as you told and submitted the zip file

This is ComboFix.txt

ComboFix 10-02-18.09 - Steele 19/02/2010 16.45.10.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2046.1376 [GMT 1:00]

Eseguito da: d:\documents and settings\Steele\Desktop\ComboFix.exe

Opzioni usate :: d:\documents and settings\Steele\Desktop\CFScript.txt

AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: c:\windows\system32\mskqyj32.exe

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\mskqyj32.exe

.

((((((((((((((((((((((((( Files Creati Da 2010-01-19 al 2010-02-19 )))))))))))))))))))))))))))))))))))

.

2010-02-19 15:39 . 2010-02-19 15:39 -------- d--h--w- c:\windows\PIF

2010-02-19 11:00 . 2010-02-19 11:00 -------- d-----w- c:\programmi\Trend Micro

2010-02-18 19:34 . 2010-02-18 19:34 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache

2010-02-18 16:01 . 2010-02-19 15:43 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy

2010-02-18 16:01 . 2010-02-18 16:03 -------- d-----w- c:\programmi\Spybot - Search & Destroy

2010-02-14 17:03 . 2010-02-14 17:03 -------- d-----w- c:\programmi\Real

2010-02-14 17:03 . 2010-02-17 17:45 -------- d-----w- c:\programmi\File comuni\Real

2010-02-11 11:43 . 2010-02-12 15:23 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\dvdcss

2010-02-09 14:53 . 2010-02-16 18:02 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\vlc

2010-02-04 16:20 . 2010-02-12 17:17 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\foobar2000

2010-02-04 16:20 . 2010-02-04 16:20 -------- d-----w- c:\programmi\foobar2000

2010-02-02 12:33 . 2010-02-11 11:22 -------- d-----w- d:\documents and settings\Steele\Impostazioni locali\Dati applicazioni\Adobe

2010-02-01 16:37 . 2010-02-01 16:38 -------- d-----w- c:\programmi\Project64 1.6

2010-01-31 22:22 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll

2010-01-31 16:39 . 2010-01-31 16:39 -------- d-----w- c:\programmi\SopCast

2010-01-31 16:20 . 2010-01-31 16:20 -------- d-sh--w- d:\documents and settings\Steele\IECompatCache

2010-01-31 16:19 . 2010-01-31 16:19 -------- d-sh--w- d:\documents and settings\Steele\PrivacIE

2010-01-31 16:16 . 2010-01-31 16:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\l2schemas

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\system32\it

2010-01-31 15:47 . 2010-01-31 15:47 -------- d-----w- c:\windows\system32\bits

2010-01-31 15:34 . 2010-01-31 15:34 -------- d-sh--w- d:\documents and settings\Steele\IETldCache

2010-01-31 15:27 . 2010-01-31 15:27 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\NVIDIA Corporation

2010-01-31 15:27 . 2010-01-31 15:27 -------- d-----w- c:\programmi\NVIDIA Corporation

2010-01-31 15:25 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-01-31 15:24 . 2010-01-31 22:27 -------- d-----w- c:\windows\ie8updates

2010-01-31 15:24 . 2009-12-21 19:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-01-31 15:24 . 2009-12-21 19:06 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-01-31 15:24 . 2009-12-21 19:06 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-01-31 15:24 . 2009-12-21 19:06 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-01-31 15:24 . 2009-12-21 19:06 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-31 15:24 . 2009-12-21 19:06 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-01-31 15:22 . 2010-01-31 22:22 -------- d-----w- c:\windows\system32\it-IT

2010-01-31 15:22 . 2010-01-31 15:24 -------- dc-h--w- c:\windows\ie8

2010-01-31 15:18 . 2010-01-31 15:18 -------- d-----w- c:\programmi\Windows Media Connect 2

2010-01-31 15:16 . 2010-01-31 15:17 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-01-31 15:16 . 2010-01-31 15:16 -------- d-----w- c:\windows\system32\LogFiles

2010-01-31 11:48 . 2010-01-31 11:48 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\DivX

2010-01-31 08:17 . 2010-01-31 08:17 -------- d-----w- c:\programmi\MSXML 6.0

2010-01-30 23:39 . 2010-01-31 15:46 -------- d-----w- c:\windows\ServicePackFiles

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-19 15:21 . 2010-01-30 18:03 -------- d-----w- c:\programmi\File comuni\Symantec Shared

2010-02-19 00:01 . 2010-01-30 11:16 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Soulseek

2010-02-11 09:22 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Norton Internet Security

2010-02-09 20:59 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Symantec

2010-02-07 22:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Symantec

2010-02-07 22:27 . 2010-02-07 22:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-07 22:27 . 2010-02-07 22:27 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-07 22:27 . 2006-09-20 15:40 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-07 22:27 . 2006-09-20 15:40 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-31 16:32 . 2010-01-30 18:10 55304 ----a-w- d:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT

2010-01-31 16:21 . 2004-10-25 18:40 84156 ----a-w- c:\windows\system32\perfc010.dat

2010-01-31 16:21 . 2004-10-25 18:40 489410 ----a-w- c:\windows\system32\perfh010.dat

2010-01-31 15:49 . 2004-10-25 19:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-01-31 08:20 . 2010-01-31 08:20 -------- d-----w- c:\programmi\MSBuild

2010-01-31 08:20 . 2010-01-31 08:20 -------- d-----w- c:\programmi\Reference Assemblies

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\LocalService\Dati applicazioni\X10 Commander

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\SmartSound Software Inc

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\QuickTime

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\InstallShield

2010-01-30 18:10 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\Administrator\Dati applicazioni\Symantec

2010-01-30 18:10 . 2010-01-30 09:16 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Symantec

2010-01-30 18:10 . 2010-01-30 09:16 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\Symantec

2010-01-30 18:06 . 2010-01-30 18:03 -------- d-----w- c:\programmi\X10 Hardware

2010-01-30 18:05 . 2010-01-30 18:03 -------- d-----w- c:\programmi\ShowTime

2010-01-30 18:05 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Servizi in linea

2010-01-30 18:04 . 2010-01-30 18:03 -------- d-----w- c:\programmi\QuickTime

2010-01-30 14:28 . 2010-01-30 14:28 -------- d-----w- d:\documents and settings\LocalService\Dati applicazioni\DivX

2010-01-30 14:27 . 2010-01-30 18:10 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Ulead Systems

2010-01-30 14:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\Ulead Systems

2010-01-30 14:27 . 2010-01-30 18:03 -------- d-----w- c:\programmi\File comuni\Ulead Systems

2010-01-30 13:42 . 2010-01-30 13:42 -------- d-----w- c:\programmi\DivX

2010-01-30 13:42 . 2010-01-30 13:42 -------- d-----w- c:\programmi\File comuni\DivX Shared

2010-01-30 13:22 . 2010-01-30 13:22 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Malwarebytes

2010-01-30 13:22 . 2010-01-30 13:21 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware

2010-01-30 13:21 . 2010-01-30 13:21 -------- d-----w- d:\documents and settings\All Users\Dati applicazioni\Malwarebytes

2010-01-30 13:14 . 2010-01-30 13:09 -------- d-----w- c:\programmi\Winamp

2010-01-30 13:11 . 2010-01-30 13:09 -------- d-----w- d:\documents and settings\Steele\Dati applicazioni\Winamp

2010-01-30 13:06 . 2010-01-30 13:06 1375 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat

2010-01-30 13:06 . 2010-01-30 13:05 130048 ----a-w- c:\windows\system32\SpoonUninstall.exe

2010-01-30 13:06 . 2010-01-30 13:06 2541 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat

2010-01-30 13:06 . 2010-01-30 13:06 2421 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat

2010-01-30 13:06 . 2010-01-30 13:06 2718 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat

2010-01-30 13:05 . 2010-01-30 13:05 2652 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat

2010-01-30 13:05 . 2010-01-30 13:05 17867 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat

2010-01-30 13:05 . 2010-01-30 13:05 -------- d-----w- c:\programmi\Illustrate

2010-01-30 12:58 . 2010-01-30 12:58 -------- d-----w- c:\programmi\Ahead

2010-01-30 12:58 . 2010-01-30 12:58 -------- d-----w- c:\programmi\File comuni\Ahead

2010-01-30 12:31 . 2010-01-30 12:31 0 ----a-w- c:\windows\nsreg.dat

2010-01-30 12:26 . 2010-01-30 12:26 -------- d-----w- c:\programmi\CCleaner

2010-01-30 12:22 . 2010-01-30 12:22 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\X10 Commander

2010-01-30 11:15 . 2010-01-30 11:14 -------- d-----w- c:\programmi\SoulseekNS

2010-01-30 11:15 . 2010-01-30 11:14 -------- d-----w- c:\programmi\eMule

2010-01-30 09:52 . 2010-01-30 09:52 -------- d-----w- c:\programmi\VideoLAN

2010-01-11 21:17 . 2010-01-11 21:17 278120 ----a-w- c:\windows\system32\nvmccs.dll

2010-01-11 21:17 . 2010-01-11 21:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2010-01-11 21:17 . 2010-01-11 21:17 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-01-11 21:17 . 2010-01-11 21:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

2010-01-11 21:17 . 2010-01-11 21:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-01-11 21:17 . 2010-01-11 21:17 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-01-07 15:07 . 2010-01-30 13:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2010-01-30 13:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 19:06 . 2004-10-25 18:39 916480 ------w- c:\windows\system32\wininet.dll

2009-11-21 15:54 . 2004-10-25 18:37 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]

"eMuleAutoStart"="c:\programmi\eMule\emule.exe" [2009-02-22 5668864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16207872]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"SunJavaUpdateSched"="c:\programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]

"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2007-02-22 52840]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

"Symantec PIF AlertEng"="c:\programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2006-09-20 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Utilit

Link to post
Share on other sites

  • Staff

Hi,

Thank you for the file. I'll analyze it and add detection for it to our database in next update.

Since we already removed the file with Combofix now, please scan again with malwarebytes and let it delete what it detects.

Then, rescan again and verify the scan comes up clean.

Let me know afterwards how things are now. :)

Link to post
Share on other sites

Things are fine!

:)

Thanks for your precious help and support!

The scan did come up clean this time (no malicious items detected).

You've been really kind and also I have to say real quick to reply to my posts.

Glad I could help increasing the database providing that infected file.

I'll come back here if I'm experiencing other troubles, thanks again, you made my day and bye for now

:)

Link to post
Share on other sites

  • Staff

Glad I could help. :)

In a meanwhile I've added detection for this new variant to the database as well :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.