• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1431
  • Last Modified:

Is my sytem stil infected with spyware?

My system was infected with spywares and I have been taking suggested steps found online to remove and fix my system using Spybot, Combofix, SmithFrautFix and Hijackthis.  Currently, I have spybot S&D, Hijackthis, Combofix and McAfee installed on my system.  I thought I have gotten rid of all infections.  However, while using the system today, the Spybot S&D window popped up with following messages:
"Spybot - Search & Destroy has detected an important registry entry that has been changed
Category:  System Startup global entry
Change:    Value changed
Entry: McAfeeUpdatedUI
Old data: "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
New data: "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey"

I am suspicious of the change request due to the difference of the file names - "UdaterUI.exe" versus "udaterui.exe"  Should I allow the change?

Below is my Hijackthis log.  Would someone please take a look and see if it is still infected?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24, on 2008-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Apps\Notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\mqtgsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINNT\system32\WLTRAY.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Apps\Notes\NLNOTES.EXE
C:\Apps\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [lcfep] "C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39DD9F03-EB53-4ADE-B85D-965EA8521E6B} (MPI_Runner Class) - http://10.94.48.192/MPI.dll
O16 - DPF: {47CA7154-6B49-46D6-BD63-B8B83C64E7D9} - http://165.170.103.132/MasterView.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199827906073
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CC052E3B-7F7F-479A-9C48-AA480C188B3C} (MVL_Manager Class) - http://150.221.83.180/MasterView.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Apps\Notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

--
End of file - 11297 bytes

0
Charles Baldo
Asked:
Charles Baldo
  • 3
  • 2
3 Solutions
 
sk_raja_rajaCommented:
Yes .it looks like infected

download,install and clean using this freeware
www.superantispyware.com
0
 
tenaj-207Commented:
sk_raja_raja: What do you see that makes you think it's infected?

charlesbaldo: Certainly it's a good idea to fun a scan but, since UpdaterUI.exe is found under the c:\program files directory I think it's clean.  Search your drive for the file.  It should show up under program files.  If it shows up under C:\windows or c:\windows\system32 it is malware.

The following links show that the version of UdaterUI.exe is not malware.
http://www.spywaredata.com/spyware/malware/udaterui.exe.php
http://www.file.net/process/udaterui.exe.html
0
 
Charles BaldoSoftware DeveloperAuthor Commented:
Hi, All
Thank you for helping!

sk_raja_raja,
Would you please be a little bit specific and point out what line of log indicates the infection?  The SUPERAntiSpyware detected and deleted 311 Adware.Tracking Cookie threads.

tenaj,
The search found "UdateUI.exe" residing at "C:\Program Files\Network Associates\Common Framework\" directory.  The file version is "4.0.0.1180" and the file size is "134 KB".
I have also visited "http://www.spywaredata.com/spyware/malware/udaterui.exe.php" site too.  All the files listed on the page has file size of "133 KB".  Should I be concerned about 1 KB difference?

The search also found a file name "UDATERUI.EXE-3165ED8.pf" at "C:\WINNTPrefetch".  Does this mean anything?


0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Charles BaldoSoftware DeveloperAuthor Commented:
tenaj-207,
I have also run the Security Task Manager.  However, I don't know if any of them are infected.
0
 
tenaj-207Commented:
If you have ran spybot and other virus/malware scanning tools then I'd say you're clean.  I'd keep running scans once a week for a month.  As for the 1KB size difference I think you're OK.  The prefetch  function (and folder) is used to speed up commonly used programs.  See the link from wikipedia for more info on prefetching.

http://en.wikipedia.org/wiki/Prefetcher
0
 
Charles BaldoSoftware DeveloperAuthor Commented:
Thanks all!  I guess it is OK for now until issues rise again.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now