Solved

Is my sytem stil infected with spyware?

Posted on 2008-10-06
6
1,392 Views
Last Modified: 2013-12-06
My system was infected with spywares and I have been taking suggested steps found online to remove and fix my system using Spybot, Combofix, SmithFrautFix and Hijackthis.  Currently, I have spybot S&D, Hijackthis, Combofix and McAfee installed on my system.  I thought I have gotten rid of all infections.  However, while using the system today, the Spybot S&D window popped up with following messages:
"Spybot - Search & Destroy has detected an important registry entry that has been changed
Category:  System Startup global entry
Change:    Value changed
Entry: McAfeeUpdatedUI
Old data: "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
New data: "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey"

I am suspicious of the change request due to the difference of the file names - "UdaterUI.exe" versus "udaterui.exe"  Should I allow the change?

Below is my Hijackthis log.  Would someone please take a look and see if it is still infected?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24, on 2008-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Apps\Notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\mqtgsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINNT\system32\WLTRAY.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Apps\Notes\NLNOTES.EXE
C:\Apps\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [lcfep] "C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINNT\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: userdata.bat (User 'Default user')

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39DD9F03-EB53-4ADE-B85D-965EA8521E6B} (MPI_Runner Class) - http://10.94.48.192/MPI.dll
O16 - DPF: {47CA7154-6B49-46D6-BD63-B8B83C64E7D9} - http://165.170.103.132/MasterView.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199827906073
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CC052E3B-7F7F-479A-9C48-AA480C188B3C} (MVL_Manager Class) - http://150.221.83.180/MasterView.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Apps\Notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE

--
End of file - 11297 bytes

0
Comment
Question by:charlesbaldo
  • 3
  • 2
6 Comments
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 50 total points
Comment Utility
Yes .it looks like infected

download,install and clean using this freeware
www.superantispyware.com
0
 
LVL 15

Accepted Solution

by:
tenaj-207 earned 450 total points
Comment Utility
sk_raja_raja: What do you see that makes you think it's infected?

charlesbaldo: Certainly it's a good idea to fun a scan but, since UpdaterUI.exe is found under the c:\program files directory I think it's clean.  Search your drive for the file.  It should show up under program files.  If it shows up under C:\windows or c:\windows\system32 it is malware.

The following links show that the version of UdaterUI.exe is not malware.
http://www.spywaredata.com/spyware/malware/udaterui.exe.php
http://www.file.net/process/udaterui.exe.html
0
 

Author Comment

by:charlesbaldo
Comment Utility
Hi, All
Thank you for helping!

sk_raja_raja,
Would you please be a little bit specific and point out what line of log indicates the infection?  The SUPERAntiSpyware detected and deleted 311 Adware.Tracking Cookie threads.

tenaj,
The search found "UdateUI.exe" residing at "C:\Program Files\Network Associates\Common Framework\" directory.  The file version is "4.0.0.1180" and the file size is "134 KB".
I have also visited "http://www.spywaredata.com/spyware/malware/udaterui.exe.php" site too.  All the files listed on the page has file size of "133 KB".  Should I be concerned about 1 KB difference?

The search also found a file name "UDATERUI.EXE-3165ED8.pf" at "C:\WINNTPrefetch".  Does this mean anything?


0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:charlesbaldo
Comment Utility
tenaj-207,
I have also run the Security Task Manager.  However, I don't know if any of them are infected.
0
 
LVL 15

Assisted Solution

by:tenaj-207
tenaj-207 earned 450 total points
Comment Utility
If you have ran spybot and other virus/malware scanning tools then I'd say you're clean.  I'd keep running scans once a week for a month.  As for the 1KB size difference I think you're OK.  The prefetch  function (and folder) is used to speed up commonly used programs.  See the link from wikipedia for more info on prefetching.

http://en.wikipedia.org/wiki/Prefetcher
0
 

Author Closing Comment

by:charlesbaldo
Comment Utility
Thanks all!  I guess it is OK for now until issues rise again.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now