Comodo reporting malware

[robertsclark]

Comodo is reporting malware in system32\wpa.dll, instsrv.exe and svrany.exe

I started to run DDS, but contrary to the guidance, it tried to modify registry entries.

I ran Spybot and allowed it to clear wpa.dll, but next time I started, I had to go through re-validating Windows XP by phone (the laptop doesn't have an ethernet port, and as I couldn't log in it wouldn't start the wireless networking)


HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:37, on 16/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer soft button\wsbklite.exe
C:\Program Files\Acer soft button\SB.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\tsnp2uvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"
O4 - HKLM\..\Run: [Software Button] "C:\Program Files\Acer soft button\SB.exe"
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [tsnp2uvc] C:\WINDOWS\tsnp2uvc.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ChkMail] PY�
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1220040368194
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 6379 bytes


COMODO Internet Security Logs

Table

:

Antivirus Logs

Date Created

:

16/03/2009 22:57:52

Log Scope

:

Today

Records count

:

37
Date/Time Action Location Malware Name Status
16/03/2009 21:39:51 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 21:40:18 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:29:46 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:30:01 Ignore C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:31:40 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:31:48 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:31:53 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:31:59 Ignore C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:32:05 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:12 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:19 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:26 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:32:27 Detect C:\WINDOWS\srvany.exe Backdoor.Win32.Agent.~EWC@423249 Success
16/03/2009 22:34:38 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:34:45 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:34:58 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:35:40 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:06 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:10 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:10 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:14 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:39:36 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:40 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:40 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:45 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:45 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:48 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:48 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:51 Ignore C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:39:51 Detect C:\WINDOWS\system32\wpa.dll Unclassified Malware@5370232 Success
16/03/2009 22:41:55 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:16 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:16 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:20 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:20 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:24 Ignore C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
16/03/2009 22:42:24 Detect C:\WINDOWS\instsrv.exe Unclassified Malware@6421737 Success
End of The Report



Help and guidance much appreciated!

Regards

Robert

[amateur]

Hello and welcome to TSF.

Sorry for the delay in response.

Quote:

I started to run DDS, but contrary to the guidance, it tried to modify registry entries.

Just for the record, DDS does not modify anything.

HijackThis is no longer the preferred initial analysis tool in this forum.

If you still require assistance, we want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.