Solve : My laptop is infected with Malware.trace... pls help! Windows – InterviewSolution

InterviewSolution

1.	Solve : My laptop is infected with Malware.trace... pls help! Windows Vista SP1?
Answer» Hi SD, Thanks. Here is the LOG; ComboFix 10-01-21.08 - Abc 01/22/2010 22:45:58.3.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1361 [GMT -5:00] Running from: c:\users\Abc\Desktop\ComboFix.exe Command switches used :: c:\users\Abc\Desktop\CFScript.txt SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: "c:\temp\{4213ADD7-ABE3-4AE1-AB12-3102A09729C7}" "c:\temp\{6849D4E4-78BF-4E9F-98AF-E9126F0190BA}" "c:\temp\{7C7C93CA-3F2B-4004-B77A-15072EE1F841}" "c:\temp\{B4670909-4FB9-407F-BE12-6AC53C71DF25}" "c:\temp\{C7B22553-9619-40C3-9073-9251BD241830}" "c:\temp\{F4A7B35F-3603-468D-B696-F77D3C42D24F}" "c:\temp\7zSC763.tmp" "c:\temp\mbr.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\temp\__SkypeDialog_Cache c:\temp\{4213ADD7-ABE3-4AE1-AB12-3102A09729C7} c:\temp\{6849D4E4-78BF-4E9F-98AF-E9126F0190BA} c:\temp\{7C7C93CA-3F2B-4004-B77A-15072EE1F841} c:\temp\{B4670909-4FB9-407F-BE12-6AC53C71DF25} c:\temp\{C7B22553-9619-40C3-9073-9251BD241830} c:\temp\{F4A7B35F-3603-468D-B696-F77D3C42D24F} c:\temp\~DEST c:\temp\hsperfdata_Abc c:\temp\Low c:\temp\Word8.0 c:\temp\WPDNSE . ((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 ))))))))))))))))))))))))))))))) . 2010-01-23 04:01 . 2010-01-23 04:01--------d-----w-c:\temp\WPDNSE 2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Xyz\AppData\Local\temp 2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Public\AppData\Local\temp 2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Default\AppData\Local\temp 2010-01-23 03:56 . 2010-01-23 03:56--------d-----w-c:\users\Abc\AppData\Local\temp 2010-01-23 03:41 . 2010-01-23 03:42--------d-----w-C:\32788R22FWJFW 2010-01-18 18:50 . 2010-01-18 18:50--------d-----w-c:\temp\7zSC763.tmp 2010-01-18 18:43 . 2010-01-18 18:43--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-01-18 18:42 . 2010-01-18 18:42--------d-----w-c:\program files\SUPERAntiSpyware 2010-01-18 18:42 . 2010-01-18 18:42--------d-----w-c:\users\Abc\AppData\Roaming\SUPERAntiSpyware.com 2010-01-18 17:33 . 2010-01-18 17:33--------d-----w-c:\program files\Trend Micro 2010-01-18 16:46 . 2010-01-18 16:46--------d-----w-c:\program files\CCleaner 2010-01-18 05:30 . 2010-01-18 20:18--------d-----w-c:\users\Abc\AppData\Local\ykvesl 2010-01-18 02:05 . 2010-01-18 02:05--------d-----w-c:\temp\Adobe 2010-01-15 04:43 . 2010-01-15 04:44--------d-----w-c:\temp\AllServicesInfoFiles 2010-01-15 04:30 . 2010-01-15 04:30--------d-----w-c:\users\Abc\AppData\Roaming\Sony Corporation 2010-01-15 04:18 . 2010-01-15 04:18--------d-----w-c:\program files\Sony 2010-01-15 04:16 . 2010-01-15 04:16--------d-----w-c:\programdata\Sony Corporation 2010-01-13 14:30 . 2009-10-19 14:27156672----a-w-c:\windows\system32\t2embed.dll 2010-01-13 14:30 . 2009-10-19 14:2472704----a-w-c:\windows\system32\fontsub.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-23 03:56 . 2006-12-18 04:0512----a-w-c:\windows\bthservsdp.dat 2010-01-23 03:38 . 2009-03-14 21:31--------d-----w-c:\users\Abc\AppData\Roaming\EditPlus 3 2010-01-18 20:34 . 2009-07-11 13:26--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-01-18 17:23 . 2008-08-13 23:12--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2010-01-18 14:55 . 2007-06-04 23:095568----a-w-c:\users\Abc\AppData\Local\d3d9caps.dat 2010-01-15 04:29 . 2006-12-18 04:26--------d--h--w-c:\program files\InstallShield Installation Information 2010-01-15 04:19 . 2008-10-23 22:45--------d-----w-c:\program files\Common Files\PX STORAGE Engine 2010-01-14 16:12 . 2009-10-03 13:48181120------w-c:\windows\system32\MpSigStub.exe 2010-01-14 04:28 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail 2010-01-07 21:07 . 2009-07-11 13:2638224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 21:07 . 2009-07-11 13:2619160----a-w-c:\windows\system32\drivers\mbam.sys 2009-12-22 03:26 . 2008-07-28 11:42--------d-----w-c:\users\Abc\AppData\Roaming\Image Zone Express 2009-11-09 13:22 . 2009-12-12 05:1924064----a-w-c:\windows\system32\nshhttp.dll 2009-11-09 13:20 . 2009-12-12 05:1931232----a-w-c:\windows\system32\httpapi.dll 2009-11-09 11:04 . 2009-12-12 05:19411136----a-w-c:\windows\system32\drivers\http.sys 2009-10-29 09:41 . 2009-11-25 05:362048----a-w-c:\windows\system32\tzres.dll 2009-10-27 13:20 . 2009-12-09 20:10833024----a-w-c:\windows\system32\wininet.dll 2009-10-27 13:16 . 2009-12-09 20:1078336----a-w-c:\windows\system32\ieencode.dll 2009-10-27 10:55 . 2009-12-09 20:1026624----a-w-c:\windows\system32\ieUnatt.exe 2009-04-12 00:50 . 2009-04-12 00:50122880----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "Google Update"="c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2006-12-18 77824] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-20 30192] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ 1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2009-3-18 806912] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-3-14 2756608] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "AUX"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcsREG_MULTI_SZ BthServ HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc WindowsMobileREG_MULTI_SZ wcescomm rapimgr LocalServiceRestrictedREG_MULTI_SZ WcesComm RapiMgr . Contents of the 'Scheduled Tasks' folder 2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3006168838-3830565526-230390905-1000Core.job - c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-04 01:36] 2010-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3006168838-3830565526-230390905-1000UA.job - c:\users\Abc\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-04 01:36] 2009-11-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22] 2009-05-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22] 2010-01-23 c:\windows\Tasks\User_Feed_Synchronization-{5E106CD2-F4D7-455D-AD14-67F094C60969}.job - c:\windows\system32\msfeedssync.exe [2008-09-23 07:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop IE: ADD to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Answers... - file://c:\program files\1-Click Answers\Html\atiemenu.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 IE: Linked&In Search Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - hxxp://download1.answers.com/pub/AnswersSetup.cab DPF: {74F4F118-91E6-4AFC-B8D2-04066781F239} - hxxps://www.member-data.com/rdc/EZTwainX.cab DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab . ************************************************************************ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(2124) c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\LightScribe\LSSrvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\DRIVERS\xaudio.exe c:\windows\system32\WUDFHost.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\Windows Media Player\wmplayer.exe c:\windows\system32\wbem\unsecapp.exe c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE c:\windows\ehome\ehmsas.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\progra~1\1-CLIC~1\agtserv.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe c:\windows\servicing\TrustedInstaller.exe . ********************************************************************** . Completion time: 2010-01-22 23:12:29 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-23 04:12 ComboFix2.txt 2010-01-21 01:31 ComboFix3.txt 2010-01-19 03:25 Pre-Run: 8,400,478,208 bytes free Post-Run: 8,400,031,744 bytes free - - End Of File - - 5B68C4A01E0905193521FAB61A998087 Some of those files are persistent. Another script to run. 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: c:\temp\7zSC763.tmp Folder:: C:\32788R22FWJFW c:\temp\7zSC763.tmp 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in CASE it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze**

Discussion

No Comment Found

Related InterviewSolutions