Jump to content

Malwarebytes

Help with uacinit.dll please

- - - - -
Started by itscrazy, Sep 12 2009 02:19 AM

7 replies to this topic

#1
itscrazy
Posted 12 September 2009 - 02:19 AM

    New Member

  • Members
  • Pip
  • 5 posts
I created a thread about this a while ago but i didnt have acess to this computer for the past week. My apologies to whoever was helping me out. Could you please give me a hand with this again? here are my most recent Hijack this, Malwarebytes, and Combofix logs:


Malwarebytes' Anti-Malware 1.40
Database version: 2747
Windows 5.1.2600 Service Pack 3

9/11/2009 9:10:56 PM
mbam-log-2009-09-11 (21-10-56).txt

Scan type: Quick Scan
Objects scanned: 105797
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACpkbeetfqxy.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACpkbeetfqxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:48 PM, on 9/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher...amp;tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox...aspx?tbid=80211
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80211
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox...aspx?tbid=80211
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80211
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: WhiteSmoke IE Toolbar - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - C:\Program Files\WhiteSmoke_IE\tbWhit.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: WhiteSmoke IE Toolbar - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - C:\Program Files\WhiteSmoke_IE\tbWhit.dll
O3 - Toolbar: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - (no file)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud4.sports.y...lgcst1008_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - http://www.bitstream...er/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} - http://www.smartforce.com/v2.1/application...XClientUtil.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123826332812
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/ch...urce/ImlCID.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.tvucricke...cx-en-black.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pantech&Curitel Utility Service - Unknown owner - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11559 bytes




ComboFix 09-09-11.01 - New_2 09/11/2009 21:50.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.750 [GMT -4:00]
Running from: c:\documents and settings\New_2\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Protection System
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1102431096-3501129753-3402990224-1003
c:\recycler\S-1-5-21-1186694003-96016034-1548379393-1003
c:\recycler\S-1-5-21-282075865-1939427835-3618866953-1003
c:\recycler\S-1-5-21-3153419142-3780881965-799062999-1003
c:\recycler\S-1-5-21-3227865010-455746915-1028428256-1003
c:\recycler\S-1-5-21-3238662871-1790741414-652470288-1003
c:\recycler\S-1-5-21-3601092178-794726428-1554454277-1003
c:\recycler\S-1-5-21-3604086767-2474784246-2590510732-1003
c:\recycler\S-1-5-21-3638781748-370492042-684896723-1003
c:\recycler\S-1-5-21-3695822336-2125869433-230064857-1003
c:\recycler\S-1-5-21-761356207-334219116-3886138198-1003
c:\recycler\S-1-5-21-861567501-1229272821-682003330-1003
c:\windows\Installer\104f0.msi
c:\windows\Installer\1262af.msi
c:\windows\Installer\207bce.msi
c:\windows\Installer\223b034.msi
c:\windows\Installer\223b04b.msi
c:\windows\Installer\270bf1.msi
c:\windows\Installer\270bf8.msi
c:\windows\Installer\309d37e.msi
c:\windows\Installer\9d18a.msi
c:\windows\Installer\9d194.msi
c:\windows\Installer\9d198.msi
c:\windows\Installer\d4f35.msi
c:\windows\Installer\d4f3b.msi
c:\windows\system32\B4FM.dll
c:\windows\system32\drivers\kbiwkmuhbapkkd.sys
c:\windows\system32\drivers\UACsjunaelwow.sys
c:\windows\system32\kbiwkmlypqrhjt.dat
c:\windows\system32\kbiwkmqwgixxes.dll
c:\windows\system32\kbiwkmtfuhypqh.dat
c:\windows\system32\kbiwkmtpdwfjpb.dll
c:\windows\system32\kbiwkmxnvjkcmy.dll
c:\windows\system32\UACfvmfpfucrd.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmtnkmagyxm.dat
c:\windows\system32\UACovohxvmohc.dll
c:\windows\system32\UACpkbeetfqxy.dll
c:\windows\system32\UACwutobxxhev.dll
c:\windows\system32\wscsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmrviqqaqb
-------\Legacy_kbiwkmrviqqaqb
-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-12 01:23 . 2009-09-12 01:38 -------- dc----w- C:\ComboFix
2009-09-07 06:06 . 2009-09-07 06:06 -------- dc----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-07 05:55 . 2009-09-07 05:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-06 18:26 . 2009-09-06 18:26 -------- dc----w- c:\program files\Trend Micro
2009-09-06 00:51 . 2009-09-06 00:51 -------- dc----w- c:\documents and settings\New_2\Application Data\Malwarebytes
2009-09-06 00:41 . 2009-08-03 17:36 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 00:41 . 2009-09-06 00:51 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 00:41 . 2009-09-06 00:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 00:41 . 2009-08-03 17:36 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 21:46 . 2009-09-05 23:36 -------- dc----w- C:\$AVG8.VAULT$
2009-09-05 21:43 . 2009-09-05 21:43 -------- dc----w- c:\program files\AVG
2009-09-05 21:43 . 2009-09-07 05:57 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-13 15:20 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 19:44 . 2008-11-07 23:45 -------- dc----w- c:\program files\Common Files\PC Tools
2009-09-05 19:43 . 2007-04-02 05:33 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-15 20:36 . 2008-10-10 21:24 -------- dc----w- c:\documents and settings\New_2\Application Data\dvdcss
2009-08-11 17:10 . 2007-01-13 15:20 -------- dc----w- c:\program files\Google
2009-08-11 17:06 . 2007-03-30 18:48 -------- dc----w- c:\program files\Apple Software Update
2009-08-11 17:05 . 2009-05-06 15:14 -------- dc----w- c:\program files\Coupons
2009-08-05 09:01 . 2003-11-28 00:46 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-11-13 23:20 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-08 03:39 286208 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-02-07 01:05 666624 -c--a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 -c--a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2002-11-13 23:21 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-11-13 23:20 81920 -c--a-w- c:\windows\system32\fontsub.dll
2006-08-06 01:36 . 2006-08-06 01:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2004-10-01 23:00 . 2008-03-01 01:47 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2001-11-30 19:09 . 2004-01-26 05:46 49152 -c--a-r- c:\program files\Common Files\HDvAvi.dll
2004-08-04 07:56 . 2006-03-11 00:29 73728 -csha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2004-10-03 19:04 . 2004-09-04 18:05 11270 -csha-w- c:\windows\system32\KGyGaAvL.sys
2000-07-15 07:00 . 2000-07-15 07:00 929844 -csha-w- c:\windows\system32\MFC42D.DLL
2000-07-15 07:00 . 2000-07-15 07:00 41013 -csha-w- c:\windows\system32\MFCN42D.DLL
2000-07-15 07:00 . 2000-07-15 07:00 434252 -csha-w- c:\windows\system32\MSVCRTD.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebba2a2f-7b79-462a-a550-e500fe0dd556}]
2007-12-19 19:53 1514520 -c--a-w- c:\program files\WhiteSmoke_IE\tbWhit.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ebba2a2f-7b79-462a-a550-e500fe0dd556}"= "c:\program files\WhiteSmoke_IE\tbWhit.dll" [2007-12-19 1514520]

[HKEY_CLASSES_ROOT\clsid\{ebba2a2f-7b79-462a-a550-e500fe0dd556}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EBBA2A2F-7B79-462A-A550-E500FE0DD556}"= "c:\program files\WhiteSmoke_IE\tbWhit.dll" [2007-12-19 1514520]

[HKEY_CLASSES_ROOT\clsid\{ebba2a2f-7b79-462a-a550-e500fe0dd556}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"LMPDPSRV"="c:\windows\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-09-05 45056]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

c:\documents and settings\New_2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2005-8-23 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:market caster

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 4:58 AM 24652]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rnd.sys [10/17/2003 8:49 PM 76160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} - hxxp://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
FF - ProfilePath - c:\documents and settings\New_2\Application Data\Mozilla\Firefox\Profiles\2pl6d86f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-stage6&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-stage6&p=
FF - plugin: c:\documents and settings\New_2\Application Data\Mozilla\Firefox\Profiles\2pl6d86f.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\InternetShortcut\shellex\Y*0 ’ *]
@="{FBF23B40-E3F0-101B-8488-00AA003E56F8}"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2009-09-12 22:08
ComboFix-quarantined-files.txt 2009-09-12 02:07

Pre-Run: 5,351,936,000 bytes free
Post-Run: 5,556,535,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

211 --- E O F --- 2009-08-26 19:12

#2
screen317
Posted 12 September 2009 - 04:22 AM

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 16,440 posts
  • Gender:Male
  • Location:Los Angeles
Hi,

Please update MBAM, run a Quick Scan, and post its log.

After that, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317
Chris Fistonich
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
itscrazy
Posted 12 September 2009 - 05:11 PM

    New Member

  • Members
  • Pip
  • 5 posts
I ran the Malwarebytes Quick scan but it didnt pick up anything this time, so I ran it in safe mode and it still didnt pick up anything. However, the full scan found quite a few infections so I'm posting that log.


Malwarebytes' Anti-Malware 1.41
Database version: 2783
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/12/2009 10:48:33 AM
mal

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 155332
Time elapsed: 50 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmqwgixxes.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxnvjkcmy.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACovohxvmohc.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpkbeetfqxy.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmuhbapkkd.sys.vir (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1200\A0141800.sys (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1200\A0141801.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1200\A0141802.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1200\A0141806.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1200\A0141808.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{594D466B-641D-40B0-A896-BC549925720C}\RP1201\A0142130.exe (Trojan.FakeAlert) -> No action taken.





4 malware found
Trojan.Downloader.Vbs.Psyme.F (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0EAE6C79.HTM (Renamed)

Trojan.Downloader.HTML.Agent.F (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\214E6024.HTM (Renamed)

Exploit.ADODB.Stream.DD (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\70781CFD (Renamed)

Exploit.HTML.Execod.A (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\70E30686 (Renamed)

Statistics
Scanned:

* Files: 45717
* System: 3289
* Not scanned: 111

Actions:

* Disinfected: 0
* Renamed: 4
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
* C:\WINDOWS\$NTUNINSTALLQ828026$\WMPCORE.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\SHELL32.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\SHLWAPI.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\SXS.DLL
* C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPTSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPT32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\HHCTRL.OCX
* C:\WINDOWS\$NTUNINSTALLKB826939$\HHSETUP.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\ITSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\HTML32.CNV
* C:\WINDOWS\$NTUNINSTALLKB826939$\MAGNIFY.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\LOCATOR.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\MIGWIZ.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\MSCONV97.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\MRXSMB.SYS
* C:\WINDOWS\$NTUNINSTALLKB826939$\NARRATOR.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\NEWDEV.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\NTOSKRNL.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\NTKRNLPA.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\NTDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\PCHSHELL.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\OSK.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SHMEDIA.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SRRSTR.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SRV.SYS
* C:\WINDOWS\$NTUNINSTALLKB826939$\USER32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\WINSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\WIN32K.SYS
* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1B234C30B96789BB369E93401DD66CD1_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\511A0F3F9E960FA97DE3D0B74ADFC574_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\45E6156647F0A4F94C3F5258C2DAEEBC_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51E23BF8573372A7C435A780BA1E4BDE_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\88DF6A0C471D74A82B1A68DFBFB60EEF_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5CBD51570E6BA046678EA895A874A754_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8A783B5F6AA2682B1B8F31D1CD9CEBD5_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5E22DC97539065066D301507C52354EB_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D40820B36D9609E5EF29D1D9228A6FA0_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DE1460C7B6EB5D0E17F71CEECC5CF837_DFB3F053-8236-4AB9-965D-0BF1709683E0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FD30519982DEBF2127C92B49FA59195B_DFB3F053-8236-4AB9-965D-0BF1709683E0



Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton 360


``````````````````````````````
Anti-malware/Other Utilities Check:
Windows Defender Signatures
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MsMpEng.exe is disabled!

New_2 LOCALS~2 Temp OnlineScanner\Anti-Virus\fsgk32.exe
New_2 LOCALS~2 Temp OnlineScanner\Anti-Virus\fssm32.exe
New_2 LOCALS~2 Temp fsonlinescanner.exe

``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#4
screen317
Posted 13 September 2009 - 03:36 AM

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 16,440 posts
  • Gender:Male
  • Location:Los Angeles

Quote

However, the full scan found quite a few infections so I'm posting that log.
What it found was either in quarantine, or in System Restore's cache, so they weren't actual threats.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 5
Java™ 6 Update 7
Adobe Reader 8

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain.

-screen317
Chris Fistonich
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
itscrazy
Posted 13 September 2009 - 04:49 AM

    New Member

  • Members
  • Pip
  • 5 posts
OK did everything. The computer seems to be working fine right now. When I turn my computer on a bubble pops up from the tray saying that McAfee virus scan and firewall are disabled, is McAfee part of the XP security system? Is there anything else I need to do or is everything fixed and cleaned now? If so, could I go ahead and install Norton 360? Thanks!

#6
screen317
Posted 14 September 2009 - 07:24 AM

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 16,440 posts
  • Gender:Male
  • Location:Los Angeles
No, McAfee is an independent company and it appears as though remnants of a previous installation are still there.


Download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.


Feel free to install your antivirus, though I would recommend a few (free) others before Norton 360. See my recommendations below.


Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. :rolleyes:
All of the following are excellent free antiviruses. Be sure to only install one.

AVG
AntiVir
avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317
Chris Fistonich
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
itscrazy
Posted 14 September 2009 - 12:23 PM

    New Member

  • Members
  • Pip
  • 5 posts
Thank you very much for your help!

#8
screen317
Posted 15 September 2009 - 08:00 AM

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 16,440 posts
  • Gender:Male
  • Location:Los Angeles
Glad we could help. :)

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
Chris Fistonich
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us