Comodo is reporting malware in system32\wpa.dll, instsrv.exe and svrany.exe
I started to run DDS, but contrary to the guidance, it tried to modify registry entries.
I ran Spybot and allowed it to clear wpa.dll, but next time I started, I had to go through re-validating Windows XP by phone (the laptop doesn't have an ethernet port, and as I couldn't log in it wouldn't start the wireless networking)
HijackThis log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:37, on 16/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer soft button\wsbklite.exe
C:\Program Files\Acer soft button\SB.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\tsnp2uvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"
O4 - HKLM\..\Run: [Software Button] "C:\Program Files\Acer soft button\SB.exe"
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [tsnp2uvc] C:\WINDOWS\tsnp2uvc.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ChkMail] PY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/wind...?1220040368194
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 6379 bytes
COMODO Internet Security Logs
Table
:
Antivirus Logs
Date Created
:
16/03/2009 22:57:52
Log Scope
:
Today
Records count
:
37
Date/Time Action Location Malware Name Status
16/03/2009 21:39:51 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 21:40:18 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:29:46 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:30:01 Ignore C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:31:40 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:31:48 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:31:53 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:31:59 Ignore C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:32:05 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:12 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:19 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:26 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:27 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:34:38 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:34:45 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:34:58 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:35:40 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:06 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:10 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:10 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:14 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:36 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:40 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:40 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:45 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:45 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:48 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:48 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:51 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:51 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:41:55 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:16 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:16 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:20 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:20 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:24 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:24 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
End of The Report
Help and guidance much appreciated!
Regards
Robert