3 replies to this topic

[neshka]

I had a fake XP security system virus so I downloaded Malware and got rid of most of it, except for a trojan system32\uacinit.dll and a rookit virus. I downloaded combofix to solve that problem and my Malware now says I'm virus free, but my Mozilla Firefox keeps crashing the same way it did when I had the viruses. Here is my combofix log and my Malware log after I ran combofix. Thanks for your help.

ComboFix 09-08-29.01 - Neshka 08/30/2009 9:40.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.360 [GMT -4:00]
Running from: c:\documents and settings\Neshka\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090829-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\run.log
c:\windows\system32\drivers\kbiwkmmnntdoju.sys
c:\windows\system32\drivers\UACunjhstxqwi.sys
c:\windows\system32\kbiwkmnjysxrxg.dat
c:\windows\system32\kbiwkmuhhnkyvj.dll
c:\windows\system32\kbiwkmwgoseiep.dll
c:\windows\system32\kbiwkmydkqbpwm.dat
c:\windows\system32\UACabmgigeahe.dat
c:\windows\system32\UACclymkdoouk.db
c:\windows\system32\UACiqkcjmkebp.dll
c:\windows\system32\UACnbawnelall.dll
c:\windows\system32\UACvqualrcxyu.dll
c:\windows\system32\UACwhfjdnaeaq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmntlaquxs
-------\Legacy_kbiwkmntlaquxs
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 00:52 . 2009-08-30 00:52 -------- d-----w- c:\documents and settings\Neshka\Application Data\Malwarebytes
2009-08-30 00:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 00:38 . 2009-08-30 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 00:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 00:17 . 2009-08-30 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 18:58 . 2009-08-29 18:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-29 18:57 . 2009-08-29 20:08 -------- d-----w- c:\documents and settings\Neshka\Application Data\skypePM
2009-08-29 18:56 . 2009-08-30 01:31 -------- d-----w- c:\documents and settings\Neshka\Application Data\Skype
2009-08-29 18:55 . 2009-08-29 18:55 -------- d-----w- c:\program files\Common Files\Skype
2009-08-29 18:55 . 2009-08-29 18:55 -------- d-----r- c:\program files\Skype
2009-08-29 18:54 . 2009-08-29 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-16 19:54 . 2009-06-25 08:44 133632 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-16 19:54 . 2009-06-22 11:34 92544 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-16 19:54 . 2009-06-25 08:44 59392 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-16 19:54 . 2009-06-25 08:44 298496 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-13 17:15 . 2009-06-12 11:50 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-13 17:14 . 2009-06-12 11:50 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-13 12:25 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-06 14:55 . 2009-08-25 15:55 -------- d-----w- c:\documents and settings\Neshka\Application Data\Prism
2009-08-06 14:55 . 2009-08-06 14:55 -------- d-----w- c:\documents and settings\All Users\Prism
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 22:15 . 2008-07-02 20:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-19 22:15 . 2008-06-23 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 22:15 . 2008-06-23 11:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:11 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 17:09 . 2009-07-05 17:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 17:09 . 2009-07-05 17:09 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2006-06-23 15:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2003-03-31 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2003-03-31 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2003-03-31 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2003-03-31 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2003-03-31 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2003-03-31 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2003-03-31 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2003-03-31 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2003-03-31 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2003-03-31 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2003-03-31 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2003-03-31 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2003-03-31 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2003-03-31 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-03-31 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-03-31 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2003-03-31 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2003-03-31 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2003-03-31 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2003-03-31 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2003-03-31 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2003-03-31 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2006-06-24 03:59 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2003-03-31 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2007-03-28 03:42 . 2007-03-28 03:43 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-11-13 02:15 . 2008-11-13 02:07 80 --sh--r- c:\windows\system32\D02E93BC50.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-01-23 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-06-01 192512]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-06-06 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-19 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

c:\documents and settings\Neshka\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-5-31 577597]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-5 53317]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-16 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 22:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/8/2009 12:22 AM 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/23/2008 7:41 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/23/2008 7:41 AM 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/8/2009 12:22 AM 20560]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 4:58 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 4:58 PM 297752]
S1 mailKmd;mailKmd; [x]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [6/24/2006 12:26 AM 2343]
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-02 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
uInternet Settings,ProxyServer = webproxy.queensu.ca:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Neshka\Application Data\Mozilla\Firefox\Profiles\p2gnfkuk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 09:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-08-30 9:57
ComboFix-quarantined-files.txt 2009-08-30 13:56

Pre-Run: 6,287,732,736 bytes free
Post-Run: 7,549,968,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

214 --- E O F --- 2009-08-26 19:41


Malware log

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/30/2009 10:20:06 AM
mbam-log-2009-08-30 (10-20-06).txt

Scan type: Quick Scan
Objects scanned: 85138
Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

The logs show that you have 2 Anti-Virus programs installed and running. Avast and AVG please choose one and FULLY remove the other one.

Click on START - RUN and type in SC DELETE mailKmd and click OK.

Download and install CCleaner

• CCleaner
  
• Double-click on the downloaded file "ccsetup222_slim.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts

[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[AdvancedSetup]

Please post a status update.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.