Ran Malwarebytes several times, with the recurring reported removal, yet the infection persists scan after scan:
Registry Data Items Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Saw chipdaddy's thread from a few days ago, and understand the removal is multi-step, and installation specific.
The only real-time virus control is Avast Home Edition. Have the free editions of Malwarebytes, SUPERAntiSpyWare, and SpywareBlaster, but they are only as needed scanners. Only MalwareBytes found the infection.
I downloaded ComboFix, disabled Avast, and ran/installed ComboFix.com. Here is the log:
ComboFix 09-09-20.04 - CEO 09/22/2009 2:51.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.891 [GMT -4:00] Running from: c:\documents and settings\CEO\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1351 [VPS 090921-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-2217913288-1106860674-1972820428-500 c:\recycler\S-1-5-21-3199605074-3298231587-1951900338-500 c:\recycler\S-1-5-21-3236594027-1492235858-3528902792-500 c:\recycler\S-1-5-21-3467185009-1450077237-1955714889-500 c:\windows\Alcmtr.exe c:\windows\Installer\25921626.msi c:\windows\Installer\3b2711d.msi c:\windows\Installer\WinRMSrv.msi c:\windows\setup.exe . ((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-21 21:18 . 2008-11-17 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-21 21:17 . 2008-11-17 13:11 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-10 18:54 . 2008-11-17 09:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 18:53 . 2008-11-17 09:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-19 21:57 . 2008-08-19 16:48 -------- d-----w- c:\program files\Safari 2009-08-19 21:55 . 2006-05-16 02:15 -------- d-----w- c:\program files\Java 2009-08-17 16:10 . 2008-11-22 19:30 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-11-22 19:31 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-11-22 19:31 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-11-22 19:31 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-11-22 19:31 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-11-22 19:31 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-11-22 19:31 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-11-22 19:31 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-11-22 19:31 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-08 23:45 . 2007-07-11 15:59 -------- d-----w- c:\program files\CompuPic 2009-07-25 09:23 . 2008-11-23 09:09 411368 ----a-w- c:\windows\system32\deploytk.dll 1999-06-17 13:00 . 2007-07-06 01:55 4921 ----a-r- c:\program files\Common Files\BEREADME.htm 1999-06-17 13:00 . 2007-07-06 01:55 3982 ----a-r- c:\program files\Common Files\BEREADME.txt 1999-05-11 17:21 . 2007-07-06 01:55 290816 ----a-w- c:\program files\Common Files\BatchExport.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{F0F8C2B6-A911-4b4e-B2AE-89B82DC81F15}"= "c:\program files\SonySA\SrchAs\sySrcAs.dll" [2006-03-02 94208] [HKEY_CLASSES_ROOT\clsid\{f0f8c2b6-a911-4b4e-b2ae-89b82dc81f15}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0F8C2B1-A911-4b4e-B2AE-89B82DC81F15}] 2006-03-02 23:46 94208 ----a-w- c:\program files\SonySA\SrchAs\sySrcAs.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-26 53248] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-03-10 217088] "Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240] "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128] "VCDPlayer"="c:\progra~1\VIRTUA~1\System\VCDPlay.exe" [2002-09-16 94208] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320] "VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "FLMOFFICE4DMOUSE"="c:\program files\Labtec\Mouse\2.1\moffice.exe" [2009-02-22 958464] "WheelMouse"="c:\program files\Intelligent Driver\4DMAIN.EXE" [2000-05-08 61440] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960] c:\documents and settings\CEO\Start Menu\Programs\Startup\ Quick Start program.lnk - c:\program files\Virtual CD v4\System\VCDTray.exe [2007-6-22 98304] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-21 21:16 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-02-23 01:11 39936 ----a-w- c:\windows\system32\fusstub.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli fusstub [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "CCALib8"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Westwood\\Dune2000\\DUNE2000.DAT"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [5/15/2006 3:43 PM 9216] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/22/2008 3:31 PM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 3:07 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 3:07 PM 74480] R1 vcdmpdrv;vcdmpdrv;c:\windows\system32\drivers\vcdmpdrv.sys [6/22/2007 1:34 AM 49296] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/22/2008 3:31 PM 20560] R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 9:13 PM 13440] R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 9:13 PM 33024] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/15/2006 3:43 PM 36352] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 3:07 PM 7408] R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [5/15/2006 3:43 PM 71961] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [5/15/2006 3:43 PM 812544] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/4/2008 3:25 PM 2944] S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/4/2008 3:25 PM 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/4/2008 3:25 PM 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/4/2008 3:24 PM 10368] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/23/2007 4:19 AM 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://us.mc841.mail.yahoo.com/mc/welcome?.partner=vz-acs&.gx=1&.tm=1251751263&.rand=3pqteo3kb8e0a uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 DPF: Photobucket Publisher - hxxp://s227.photobucket.com/csve/ie_plugin.php DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxps://secureshares.wrallp.com/desktopmodules/wrallp.FileManager/SAXFile.cab FF - ProfilePath - c:\documents and settings\CEO\Application Data\Mozilla\Firefox\Profiles\bhbt5hpp.default\ FF - prefs.js: browser.startup.homepage - hxxp://netservices.verizon.net/portal/link/main/vzcentral FF - prefs.js: network.proxy.type - 1 ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-22 02:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(884) c:\windows\system32\PSLogon.dll c:\program files\Protector Suite QL\vrlogon.dll c:\program files\Protector Suite QL\ExtVapi.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\fusstub.dll c:\windows\system32\biologon.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\passport.dll c:\program files\Protector Suite QL\BhTcAll.dll c:\program files\Protector Suite QL\BhDevTfm.dll c:\program files\Protector Suite QL\AlgVer.dll c:\program files\Protector Suite QL\TCBioLib.dll c:\program files\Protector Suite QL\remote.dll c:\windows\system32\VESWinlogon.dll c:\program files\Protector Suite QL\mysafe.dll c:\program files\Protector Suite QL\config.dll - - - - - - - > 'lsass.exe'(948) c:\windows\system32\fusstub.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus.dll . Completion time: 2009-09-22 2:59 ComboFix-quarantined-files.txt 2009-09-22 06:58 Pre-Run: 5,375,549,440 bytes free Post-Run: 5,608,923,136 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 214 --- E O F --- 2009-06-12 07:04
Hope Perplexus or someone like him can help! Thank you.
>>>Edited to add:
OK, maybe I should not have done this, but after the ComboFix scan above last night, I scanned again this morning with MalwareBytes: no infection found. So, I tried WIndows Update and it seemed to work (the IE6 URL displayed was from update.microsoft.com.)
Did that fix it? If so, what cleanup may be necessary? -Thanks
Edited by LifeOnAString, 22 September 2009 - 08:44 AM.