Jump to content

Malware heist


Recommended Posts

Tried renaming MBAM, no effect as the error is Run-time 372 error (failed to load vbalsgrid6.ocx)

Adaware won't run either (bad c++ runtime env).

Spybot S&D, Spyware Terminator, Advance spyware Remover, IOBit Security 360, GMD rootkit finder all fail to find anything.

================================

Windows XP pro sp 2

Symptoms: RPC service won't run which causes Windows Installer service to fail. Can't copy or cut-and-paste. Services.msc only partially works same with viewing event logs. Mozilla and Opera Won't run, IE (version number doesn't print in help:about) does.

Combo fix finds things but doesn't seem to fix them: (sorry can't cut & paste):

c:\windows\regedit.exe ... is infected! failed to restore

c:\windows\pchealth\uploadLB\Binaries\uploadm.exe ...is infected

c:\w..\sys32\msiregmv.exe

c:\w..\sys32\tlntadmn.exe

" \tlntsess.exe

" \tlntsvr.exe

" \typeperf.exe

" \wupdmgr.exe

Since I can't cut and paste, and it's against forum policy to attach files, what should I do?

Thanks for the help, this is very frustrating.

Mark.

Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Thank you for pointing me to ebet.eu, I'm not familiar with them.

Unfortunately, my machine will not run the javascript required by the site to do the online scan. It's an IE6 base install for XP. Even though the allow active scripts radio button is correctly set to enabled, javascript no longer runs. Pre-installed copies of Firefox & Opera will not run at all. I attempted to install Ebet.EU's antivirus trial version, however it is a .msi file and the windows installer package is also disabled. (RPC service is its prerequisite and it won't start either. It gives a Not permitted or somesuch error when RPC is attempted to be restarted)

Using a minimum Linux OS from Hirens bootCD I'm able to cut and paste the logs of some of the programs that I WAS able to get to run.

GMER stated no modifications found (unfortunately I don't believe that I saved the log).

Here are the logs for HijackThis, DDS & ComboFix:

Thank you for your help!

================================================================================

=======

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:40:48 PM, on 1/9/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\apps\Utilities\Core Temp\Core Temp.exe

C:\apps\internet\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\apps\misc\PalmOne\Hotsync.exe

D:\games\Stardock\ImpulseUpdater\Now\ImpulseNow.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\apps\internet\Spyware Terminator\sp_rsser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\newUpgrades\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [startCCC] "C:\drivers\ati\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Core Temp] "C:\apps\Utilities\Core Temp\Core Temp.exe"

O4 - HKCU\..\Run: [spywareTerminatorUpdate] "C:\apps\internet\Spyware Terminator\SpywareTerminatorUpdate.exe"

O4 - HKUS\S-1-5-21-35751481-2768343565-2966021626-500\..\Run: [Core Temp] "C:\apps\Utilities\Core Temp\Core Temp.exe" (User '?')

O4 - HKUS\S-1-5-21-35751481-2768343565-2966021626-500\..\Run: [spywareTerminatorUpdate] "C:\apps\internet\Spyware Terminator\SpywareTerminatorUpdate.exe" (User '?')

O4 - S-1-5-21-35751481-2768343565-2966021626-500 Startup: Impulse Now.lnk = D:\games\Stardock\ImpulseUpdater\Now\ImpulseNow.exe (User '?')

O4 - Startup: Impulse Now.lnk = D:\games\Stardock\ImpulseUpdater\Now\ImpulseNow.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\apps\misc\PalmOne\Hotsync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\drivers\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ASRservice - IObit - C:\apps\internet\Advanced Spyware Remover\ASRsrv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: IS360service - IObit - C:\apps\internet\IObit Security 360\IS360srv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\apps\internet\Spyware Terminator\sp_rsser.exe

--

End of file - 3817 bytes

=================================================================

=================================================================

=================================================================

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 23:01:37.00 on Sun 01/09/2011

Internet Explorer: 6.0.2900.2180

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\apps\Utilities\Core Temp\Core Temp.exe

C:\apps\internet\Spyware Terminator\SpywareTerminatorUpdate.exe

C:\apps\misc\PalmOne\Hotsync.exe

D:\games\Stardock\ImpulseUpdater\Now\ImpulseNow.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\apps\internet\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\newUpgrades\dds.scr

C:\WINDOWS\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll

TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Core Temp] "c:\apps\utilities\core temp\Core Temp.exe"

uRun: [spywareTerminatorUpdate] "c:\apps\internet\spyware terminator\SpywareTerminatorUpdate.exe"

mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

mRun: [startCCC] "c:\drivers\ati\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

uPolicies-explorer: MaxRecentDocs = 1 (0x1)

IE: Crawler Search - tbr:iemenu

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R? ASRservice;ASRservice

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? IS360service;IS360service

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? ALSysIO;ALSysIO

S? sp_rsdrv2;Spyware Terminator Driver 2

S? viasraid;viasraid

=============== Created Last 30 ================

2011-01-09 15:54:59 -------- d-----w- C:\ComboFix

2011-01-09 04:18:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit

2011-01-09 03:02:22 -------- d-----w- c:\program files\Crawler

2011-01-09 03:02:20 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2011-01-09 03:02:20 -------- d-----w- c:\docume~1\admini~1.you\applic~1\Spyware Terminator

2011-01-09 03:02:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator

2011-01-09 03:00:22 -------- dc----w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-01-09 01:25:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-01-08 18:19:14 -------- d-sha-r- C:\cmdcons

2011-01-08 18:15:26 98816 ----a-w- c:\windows\sed.exe

2011-01-08 18:15:26 89088 ----a-w- c:\windows\MBR.exe

2011-01-08 18:15:26 256512 ----a-w- c:\windows\PEV.exe

2011-01-08 18:15:26 161792 ----a-w- c:\windows\SWREG.exe

2011-01-08 07:23:49 -------- d-----w- c:\docume~1\admini~1.you\applic~1\Stardock

2011-01-06 00:39:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-05 19:26:01 -------- d-----w- c:\docume~1\admini~1.you\applic~1\Malwarebytes

2010-12-18 01:36:57 -------- d-----w- c:\docume~1\admini~1.you\locals~1\applic~1\Identities

==================== Find3M ====================

2010-10-21 02:42:57 0 ----a-w- c:\windows\ativpsrm.bin

2009-08-26 00:34:36 17919 ----a-w- c:\program files\common files\fatiqopa.reg

2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 23:01:55.90 ===============

================================================================================

=====

================================================================================

======

================================================================================

=====

ComboFix 11-01-07.02 - Administrator 01/09/2011 7:56.2.1 - x86 NETWORK

Running from: d:\newupgrades\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\regedit.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

c:\windows\PCHealth\UploadLB\Binaries\uploadm.exe . . . is infected!!

c:\windows\system32\msiregmv.exe . . . is infected!!

c:\windows\system32\tlntadmn.exe . . . is infected!!

c:\windows\system32\tlntsess.exe . . . is infected!!

c:\windows\system32\tlntsvr.exe . . . is infected!!

c:\windows\system32\typeperf.exe . . . is infected!!

c:\windows\system32\wupdmgr.exe . . . is infected!!

Infected copy of c:\windows\regedit.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{6BB2C274-6FE8-4B09-B975-E4CDF5AA4088}\RP35\A0002309.exe

.

((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))

.

2011-01-09 04:18 . 2011-01-09 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2011-01-09 03:02 . 2011-01-09 03:02 -------- d-----w- c:\program files\Crawler

2011-01-09 03:02 . 2011-01-09 03:04 -------- d-----w- c:\documents and settings\Administrator.YOUR-G695S2W2BC\Application Data\Spyware Terminator

2011-01-09 03:02 . 2011-01-09 03:02 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2011-01-09 03:02 . 2011-01-09 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2011-01-09 03:00 . 2011-01-09 03:00 -------- dc----w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2011-01-09 01:25 . 2011-01-09 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-01-08 17:57 . 2011-01-08 17:57 -------- d-----w- c:\documents and settings\Administrator.YOUR-G695S2W2BC\Application Data\Lavasoft

2011-01-08 07:23 . 2011-01-08 07:24 -------- d-----w- c:\documents and settings\Administrator.YOUR-G695S2W2BC\Application Data\Stardock

2011-01-06 00:39 . 2011-01-09 02:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-05 19:26 . 2011-01-05 19:26 -------- d-----w- c:\documents and settings\Administrator.YOUR-G695S2W2BC\Application Data\Malwarebytes

2010-12-18 01:36 . 2010-12-18 01:36 -------- d-----w- c:\documents and settings\Administrator.YOUR-G695S2W2BC\Local Settings\Application Data\Identities

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 02:09 . 2009-08-26 00:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 02:08 . 2009-08-26 00:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 00:34 . 2009-08-26 00:34 17919 ----a-w- c:\program files\Common Files\fatiqopa.reg

2004-03-11 20:27 . 2004-05-08 14:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

------- Sigcheck -------

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Core Temp"="c:\apps\Utilities\Core Temp\Core Temp.exe" [2010-10-03 470544]

"SpywareTerminatorUpdate"="c:\apps\internet\Spyware Terminator\SpywareTerminatorUpdate.exe" [2011-01-09 3318784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PtiuPbmd"="ptipbm.dll" [2003-01-15 24576]

"StartCCC"="c:\drivers\ati\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-07 98304]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]

"Advanced Spyware Remover"="c:\apps\internet\Advanced Spyware Remover\ASRtray.exe" [2009-12-16 1213952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MaxRecentDocs"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 20:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-11-10 20:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-08-04 08:56 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\apps\\internet\\Opera\\opera.exe"=

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 viasraid;viasraid;c:\windows\System32\DRIVERS\viasraid.sys [2003-09-05 77056]

S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-01-09 142592]

S2 ASRservice;ASRservice;c:\apps\internet\Advanced Spyware Remover\ASRsrv.exe [2009-12-10 697104]

S3 ALSysIO;ALSysIO;c:\docume~1\ADMINI~1.YOU\LOCALS~1\Temp\ALSysIO.sys [x]

.

Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 06:22]

2011-01-07 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\apps\Utilities\NortonSystemWorks\OBC.exe [2004-06-02 04:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Crawler Search - tbr:iemenu

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-09 08:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\apps\misc\PalmOne\Hotsync.exe

d:\games\Stardock\ImpulseUpdater\Now\ImpulseNow.exe

c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE

d:\games\Stardock\ImpulseUpdater\Impulse.exe

c:\windows\system32\HPZipm12.exe

c:\apps\internet\Spyware Terminator\sp_rsser.exe

c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE

.

**************************************************************************

.

Completion time: 2011-01-09 08:06:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-09 16:06

ComboFix2.txt 2011-01-08 21:02

Pre-Run: 11,561,603,072 bytes free

Post-Run: 11,787,481,088 bytes free

- - End Of File - - FB96C8F01858ADC227F5B6F1771088C0

Link to post
Share on other sites

c:\windows\system32\msiregmv.exe . . . is infected!!

c:\windows\system32\tlntadmn.exe . . . is infected!!

c:\windows\system32\tlntsess.exe . . . is infected!!

c:\windows\system32\tlntsvr.exe . . . is infected!!

c:\windows\system32\typeperf.exe . . . is infected!!

c:\windows\system32\wupdmgr.exe . . . is infected!!

Those are all infected.

First look on your windows cd for replacements.

They should be found here:

C:\WINDOWS\ServicePackFiles\i386\

If found, I'd delete the infected ones and copy the good ones from the i386 folder to c:\windows\system32\

Also look for this one on the CD and replace it as well.

c:\windows\PCHealth\UploadLB\Binaries\uploadm.exe

Link to post
Share on other sites

Replaced the infected files from an 'expanded' copy of the file off of the Windows CD to no avail. Exact same behaviour. Since I need my machine operational I'm going to do a Windows repair install and eventually get MBAM up to flush out anything left.

This thread can be closed. Thanks for your help.

Mark.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.