Thread: UAC Virus/infection
View Single Post
Old 06-25-2009, 05:09 PM   #3 (permalink)
kwong
Registered User
 
Join Date: Jun 2009
Posts: 8
OS: xp


Re: UAC Virus/infection
Thank you for the fast reply. I sure appreciate your help CatByte. Combofix log pasted below and a attached.

ComboFix 09-06-25.01 - Bob 06/25/2009 17:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1604 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\drivers\UACjwbpcbqevsiwemr.sys
c:\windows\system32\Install.txt
c:\windows\system32\UACdlllovrsgvxrpqm.dll
c:\windows\system32\UACfasfolwhostjett.dat
c:\windows\system32\UACfmurqbmonbmtbuy.dll
c:\windows\system32\UACfrqhioqvowyarri.db
c:\windows\system32\UACfwxmjftrcgmscny.dll
c:\windows\system32\UACgvyqdeepfdycujj.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACirxhvhpbfvkpdum.dll
c:\windows\system32\UACqmirxnxdbiggyyx.log
c:\windows\system32\UACrukprkddtmppxok.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACvxxownyxubangeq.dll
c:\windows\system32\UACymsrgeaxrqhobuj.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6to4
-------\Legacy_dhcpsrv
-------\Legacy_isadisk
-------\Legacy_msncache
-------\Legacy_sopidkc
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 03:07 . 2009-06-25 03:10 -------- d-----w- c:\documents and settings\Bob\.SunDownloadManager
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\HP
2009-06-25 02:53 . 2009-06-25 02:53 -------- d-----w- C:\rsit
2009-06-25 02:03 . 2009-06-25 02:03 -------- d-----w- c:\program files\7-Zip
2009-06-25 01:02 . 2009-06-25 01:02 -------- d-----w- c:\program files\Trend Micro
2009-06-24 03:46 . 2009-06-24 03:46 -------- d-----w- c:\documents and settings\Bob\Application Data\Uniblue
2009-06-24 02:51 . 2009-06-25 00:07 -------- d-----w- c:\documents and settings\Bob\.housecall6.6
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:17 . 2009-06-23 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 00:24 . 2009-06-23 00:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-22 02:37 . 2009-06-22 04:57 -------- d-----w- c:\windows\DLL
2009-06-05 03:11 . 2009-06-05 03:11 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 22:45 . 2008-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 02:43 . 2005-08-26 09:40 -------- d-----w- c:\program files\Java
2009-06-24 04:05 . 2007-06-22 19:48 77504 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 03:43 . 2005-08-26 10:07 -------- d-----w- c:\program files\Google
2009-06-09 01:22 . 2006-02-25 16:32 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/23/2009 6:46 AM 200192]
S1 d034e143;d034e143;c:\windows\system32\drivers\d034e143.sys --> c:\windows\system32\drivers\d034e143.sys [?]
S2 lich;lich;"c:\windows\system32\lich.exe" --> c:\windows\system32\lich.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?9?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-25 18:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 23:03

Pre-Run: 42,477,158,400 bytes free
Post-Run: 42,435,473,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

132
Attached Files
File Type: txt ComboFix.txt (7.0 KB, 2 views)
kwong is offline