• Malware keeps re-creating .dll and registry keys
    2 replies, posted
I made this post on another forum, Just don't want to clog stuff up here: [url]http://www.security-forums.com/viewtopic.php?p=319107#319107[/url]
Well, the fact is you never quite got rid of it. Its recreating the dlls and registry keys perhaps by other items hidden elsewhere. Or within files itself. For everyone to see: The HJT log [code] Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\regedit.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Alwil Software\Avast5\AvastUI.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Street-Ads Browser Enhancer hiywp - {9BFB2E92-0169-47D8-8972-6D2326B84F7A} - C:\WINDOWS\system32\hiywp.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [Sfepehadajaku] rundll32.exe "C:\WINDOWS\ecidopuv.dll",Startup O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257623837150 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe O23 - Service: GenericMount Helper Service - Unknown owner - C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe [/code] I personally see no issues except the 02 [BHO] items. Few questions: You got two anti virus applications running, Avast and Avira. Are both are them running? Did you use Combofix [url=http://www.combofix.org/]Link[/url] Super antispyware [url=http://www.superantispyware.com/]Link[/url] Malware bytes anti-malware? (MBAM)[url=www.malwarebytes.com]Link[/url] if you answered no to any of the above, download it and do it in SAFEMODE. If yes to all of the above, and you still got issues: Did you do it in safemode? If yes, backup DOCUMENTS ONLY. Do NOT backup: .exe, .dll, .reg, .tmp. If no, fucking do that. ****** If you cannot access any of those sites, use an other computer and copy it to a flashdrive, or write it to a CD-R(DVD-R if you feel REALALY wasteful) or a external harddrive. Make sure you change the attributes to the flash media (incl. external hdd) to READ ONLY. You can do this in one swipe by typing this command in the command line[lua] attrib +r %drive letter%:\[/lua] or [lua] %drive letter%: attrib +r [/lua] Warning, takes time. %drive letter% will be the letter the flash/external hdd is recognized as. like E:\ or D:\ etc. ****** To get into safe mode: After the BIOS screen passed, press on your f8 key like you're fiending for crack. Rapidly and relentless. Then choose "Safe Mode". If you're on a domain, use safemode with network capability. DO NOT USE SYSTEM RESTORE!
[QUOTE=Richard Simmons;23502330]Well, the fact is you never quite got rid of it. Its recreating the dlls and registry keys perhaps by other items hidden elsewhere. Or within files itself. [/QUOTE] Thanks, I said that in the post. [QUOTE=Richard Simmons;23502330] Did you use Combofix [url=http://www.combofix.org/]Link[/url] Super antispyware [url=http://www.superantispyware.com/]Link[/url] Malware bytes anti-malware? (MBAM)[url=www.malwarebytes.com]Link[/url] [/QUOTE] Thanks again, I did say in my post, [QUOTE=bull3tmagn3t]I have scanned with Avira, Avast!, and Malwarebytes[/QUOTE] I know you are trying to help, but PLEASE read my entire post, and you don't need to put the HijackThis log, That's why I put the link to the post. I hope i'm not coming off as a jerk saying those previous things, but you're wasting both of our times not reading my post. U tell me useless things, and I have to tell you that that was useless.. thanks anyways :)
Sorry, you need to Log In to post a reply to this thread.