Charles Baldo
asked on
Is my sytem stil infected with spyware?
My system was infected with spywares and I have been taking suggested steps found online to remove and fix my system using Spybot, Combofix, SmithFrautFix and Hijackthis. Currently, I have spybot S&D, Hijackthis, Combofix and McAfee installed on my system. I thought I have gotten rid of all infections. However, while using the system today, the Spybot S&D window popped up with following messages:
"Spybot - Search & Destroy has detected an important registry entry that has been changed
Category: System Startup global entry
Change: Value changed
Entry: McAfeeUpdatedUI
Old data: "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
New data: "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey"
I am suspicious of the change request due to the difference of the file names - "UdaterUI.exe" versus "udaterui.exe" Should I allow the change?
Below is my Hijackthis log. Would someone please take a look and see if it is still infected?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24, on 2008-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\Ati2evxx .exe
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\System32\WLTRYSVC .EXE
C:\WINNT\System32\bcmwltry .exe
C:\WINNT\system32\spoolsv. exe
C:\WINNT\system32\srvany.e xe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
C:\WINNT\system32\inetsrv\ inetinfo.e xe
C:\apps\Tivoli\lcf\bin\w32 -ix86\mrt\ lcfd.exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\Apps\Notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter .exe
C:\WINNT\system32\mqsvc.ex e
C:\WINNT\system32\mqtgsvc. exe
C:\WINNT\system32\Ati2evxx .exe
C:\WINNT\Explorer.EXE
C:\apps\Tivoli\lcf\bin\w32 -ix86\mrt\ lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon. exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quicks et.exe
C:\WINNT\system32\dla\tfsw ctrl.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\WINNT\system32\WLTRAY.e xe
C:\WINNT\system32\wuauclt. exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\ctfmon.e xe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Apps\Notes\NLNOTES.EXE
C:\Apps\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\windows\system32\blank. htm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\windows\system32\blank. htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINNT\system32\dla\tfsw shx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\4 .1.805.185 2\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJP MIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINT LGNT\ImScI nst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINT LGNT\TINTS ETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINT LGNT\TINTS ETP.EXE /IMEName
O4 - HKLM\..\Run: [lcfep] "C:\apps\Tivoli\lcf\bin\w3 2-ix86\mrt \lcfep.exe " -x
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon. exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfsw ctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.e xe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e xe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e xe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e xe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e xe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e xe (User 'Default user')
O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39DD9F03-EB53-4ADE-B85D-9 65EA8521E6 B} (MPI_Runner Class) - http://10.94.48.192/MPI.dll
O16 - DPF: {47CA7154-6B49-46D6-BD63-B 8B83C64E7D 9} - http://165.170.103.132/MasterView.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199827906073
O16 - DPF: {644E432F-49D3-41A1-8DD5-E 099162EEEC 5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CC052E3B-7F7F-479A-9C48-A A480C188B3 C} (MVL_Manager Class) - http://150.221.83.180/MasterView.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx .exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32 -ix86\mrt\ lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Apps\Notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC .EXE
--
End of file - 11297 bytes
"Spybot - Search & Destroy has detected an important registry entry that has been changed
Category: System Startup global entry
Change: Value changed
Entry: McAfeeUpdatedUI
Old data: "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
New data: "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey"
I am suspicious of the change request due to the difference of the file names - "UdaterUI.exe" versus "udaterui.exe" Should I allow the change?
Below is my Hijackthis log. Would someone please take a look and see if it is still infected?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24, on 2008-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\Ati2evxx
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\System32\WLTRYSVC
C:\WINNT\System32\bcmwltry
C:\WINNT\system32\spoolsv.
C:\WINNT\system32\srvany.e
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Google\Common\Google
C:\WINNT\system32\inetsrv\
C:\apps\Tivoli\lcf\bin\w32
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Apps\Notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NI
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter
C:\WINNT\system32\mqsvc.ex
C:\WINNT\system32\mqtgsvc.
C:\WINNT\system32\Ati2evxx
C:\WINNT\Explorer.EXE
C:\apps\Tivoli\lcf\bin\w32
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quicks
C:\WINNT\system32\dla\tfsw
C:\Program Files\CyberLink\PowerDVD\D
C:\WINNT\system32\WLTRAY.e
C:\WINNT\system32\wuauclt.
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\ctfmon.e
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Apps\Notes\NLNOTES.EXE
C:\Apps\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJP
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINT
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINT
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINT
O4 - HKLM\..\Run: [lcfep] "C:\apps\Tivoli\lcf\bin\w3
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfsw
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {39DD9F03-EB53-4ADE-B85D-9
O16 - DPF: {47CA7154-6B49-46D6-BD63-B
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O16 - DPF: {CC052E3B-7F7F-479A-9C48-A
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Apps\Notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC
--
End of file - 11297 bytes
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
tenaj-207,
I have also run the Security Task Manager. However, I don't know if any of them are infected.
I have also run the Security Task Manager. However, I don't know if any of them are infected.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all! I guess it is OK for now until issues rise again.
ASKER
Thank you for helping!
sk_raja_raja,
Would you please be a little bit specific and point out what line of log indicates the infection? The SUPERAntiSpyware detected and deleted 311 Adware.Tracking Cookie threads.
tenaj,
The search found "UdateUI.exe" residing at "C:\Program Files\Network Associates\Common Framework\" directory. The file version is "4.0.0.1180" and the file size is "134 KB".
I have also visited "http://www.spywaredata.com/spyware/malware/udaterui.exe.php" site too. All the files listed on the page has file size of "133 KB". Should I be concerned about 1 KB difference?
The search also found a file name "UDATERUI.EXE-3165ED8.pf" at "C:\WINNTPrefetch". Does this mean anything?