Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wininit.exe Infected


  • This topic is locked This topic is locked
21 replies to this topic

#1 Moby49

Moby49

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 29 August 2010 - 08:27 AM

I had a credit card data stolen and a Facebook account penetrated from a 24.*.*.* IP address. I have run various malware tools including Windows Defender, Microsoft Systems Essentials Malware, and MalwareBytes tools, all with no detection. I also ran a deep Norton virus scan. The Computer was rebuilt after "cleaning" the hard disk and still showed an infection.

The DDS log follows. the Attach and GMER logs are attached. Any help or insight would be appreciated. I am down to resetting the CMOS and reburning the BIOS.


DDS (Ver_10-03-17.01) - NTFSx86
Run by hzp9q9 at 8:28:32.76 on Sun 08/29/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1040 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtlService.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWlan.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\aol\1282832332\ee\aolsoftware.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol toolbar\aoltbServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\hzp9q9.DANSWORLD\Desktop\dds.scr
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
uRun: [AOL Fast Start] "c:\program files\aol 9.5\AOL.EXE" -b
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [HostManager] c:\program files\common files\aol\1282832332\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunServices: [Atheros Configuration Service] c:\windows\system32\acs.exe -h
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\pci f5d7000\wireless utility\Belkinwcui.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-8-26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-8-26 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100810.004\BHDrvx86.sys [2010-8-10 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-8-26 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100827.001\IDSvix86.sys [2010-8-27 344112]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-8-26 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0402000.00c\symtdiv.sys [2010-8-26 339504]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-8-26 126392]
R2 Realtek87B;Realtek87B;c:\program files\realtek\rtl8187 wireless lan utility\RtlService.exe [2010-8-26 40960]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [2010-8-28 463872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-26 102448]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2010-8-26 375808]

=============== Created Last 30 ================

2010-08-28 21:48:07 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-08-28 21:46:58 463872 ----a-w- c:\windows\system32\drivers\BLKWGD.sys
2010-08-28 21:46:42 0 d-----w- c:\program files\Belkin
2010-08-28 21:45:29 0 d-----w- c:\windows\Downloaded Installations
2010-08-28 19:55:54 0 d-----w- c:\users\hzp9q9~1.da~\appdata\roaming\AOL
2010-08-28 16:15:13 0 d-----w- c:\users\hzp9q9~1.da~\appdata\roaming\Intuit
2010-08-27 12:28:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-27 12:26:00 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-27 02:27:56 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-27 02:26:56 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-08-27 02:26:35 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-08-27 02:26:08 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-27 02:25:09 2614272 ----a-w- c:\windows\explorer.exe
2010-08-27 02:25:08 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-08-27 02:24:25 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-08-27 02:24:25 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-08-27 02:24:09 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-08-27 02:23:51 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-27 02:23:31 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-08-27 01:32:29 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-08-27 01:32:29 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-08-27 01:30:43 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-08-27 01:25:09 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-08-27 01:23:34 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-08-27 01:23:30 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-08-27 01:23:26 507568 ----a-w- c:\windows\system32\winload.exe
2010-08-27 01:23:26 442920 ----a-w- c:\windows\system32\winresume.exe
2010-08-27 01:23:22 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-08-27 01:22:50 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-08-27 01:22:18 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-27 01:22:18 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-27 01:22:18 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-27 01:21:36 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-08-27 01:21:36 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-08-27 01:21:35 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-08-27 01:21:35 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-08-27 01:21:34 417792 ----a-w- c:\windows\system32\msdri.dll
2010-08-27 01:20:24 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 01:19:50 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-08-27 01:19:13 91648 ----a-w- c:\windows\system32\avifil32.dll
2010-08-27 01:19:13 84480 ----a-w- c:\windows\system32\mciavi32.dll
2010-08-27 01:19:13 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-08-27 01:19:13 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-08-27 01:19:13 22016 ----a-w- c:\windows\system32\msyuv.dll
2010-08-27 01:19:13 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-08-27 01:19:13 1328640 ----a-w- c:\windows\system32\quartz.dll
2010-08-27 01:19:13 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-08-27 01:15:22 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-27 01:15:21 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-27 01:13:10 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-08-27 01:08:21 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-27 01:08:21 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-27 01:08:21 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-08-27 01:08:21 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-27 01:08:21 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-08-27 01:07:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-08-27 01:07:47 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-08-27 01:07:40 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-27 01:07:19 0 d-----w- c:\program files\MSXML 4.0
2010-08-27 01:07:03 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-08-27 01:07:03 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-08-27 01:07:03 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-08-27 01:06:53 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 01:06:12 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-08-27 01:06:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-08-27 01:06:12 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-08-26 22:35:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-26 22:35:47 0 d-----w- c:\programdata\Malwarebytes
2010-08-26 22:35:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-26 22:35:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-26 17:37:35 0 d-----w- c:\program files\TurboTax
2010-08-26 17:12:29 880640 ----a-w- c:\windows\system32\BCMLogon.dll
2010-08-26 17:12:27 416 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-08-26 17:12:27 2648768 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-08-26 17:12:25 0 d-----w- c:\program files\Broadcom
2010-08-26 17:04:30 0 d-----w- c:\windows\Panther
2010-08-26 17:01:26 0 d-----w- c:\program files\Intel Desktop Board Audio Driver
2010-08-26 16:08:34 0 d--h--w- c:\programdata\CanonBJ
2010-08-26 16:07:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-08-26 16:06:38 0 ----a-w- c:\windows\system32\atiicdxx.dat
2010-08-26 16:06:38 0 ----a-w- c:\windows\ativpsrm.bin
2010-08-26 15:34:45 0 d-----w- c:\programdata\Adobe
2010-08-26 15:19:28 0 d-----w- c:\users\hzp9q9.dansworld\D0417602A_en
2010-08-26 14:43:47 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-08-26 14:43:31 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-08-26 14:42:26 0 d-----w- c:\program files\common files\Intuit
2010-08-26 14:42:20 0 d-----w- c:\program files\Quicken
2010-08-26 14:42:09 120 ----a-w- c:\windows\QUICKEN.INI
2010-08-26 14:41:51 0 d-----w- c:\programdata\Intuit
2010-08-26 14:35:49 0 d-----w- c:\program files\AOL Toolbar
2010-08-26 14:35:42 0 d-----w- c:\program files\common files\Software Update Utility
2010-08-26 14:21:17 0 d-----w- c:\programdata\Macromedia
2010-08-26 14:20:31 0 d-----w- c:\programdata\Viewpoint
2010-08-26 14:20:30 0 d-----w- c:\program files\Viewpoint
2010-08-26 14:20:29 54832 ----a-w- c:\windows\system32\AOLParconLink.exe
2010-08-26 14:20:15 0 d-----w- c:\programdata\AOL Toolbar
2010-08-26 14:19:24 33588 ----a-w- c:\windows\system32\drivers\wanatw4.sys
2010-08-26 14:19:08 0 d-----w- c:\programdata\AOL OCP
2010-08-26 14:18:37 0 d-----w- c:\programdata\AOL
2010-08-26 14:18:37 0 d-----w- c:\program files\common files\aolshare
2010-08-26 14:18:37 0 d-----w- c:\program files\common files\aol
2010-08-26 14:18:37 0 d-----w- c:\program files\AOL 9.5
2010-08-26 14:16:17 0 d-----w- c:\programdata\AOL Downloads
2010-08-26 14:08:56 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-08-26 14:08:17 0 d-----w- c:\windows\PCHEALTH
2010-08-26 14:08:17 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-26 14:06:21 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-08-26 14:04:49 0 d-----w- c:\program files\Microsoft Analysis Services
2010-08-26 14:04:12 0 d-----w- c:\programdata\Microsoft Help
2010-08-26 14:04:06 0 d-sh--w- c:\windows\Installer
2010-08-26 13:59:17 0 d-sh--w- C:\$RECYCLE.BIN
2010-08-26 13:39:33 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-08-26 13:39:02 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-08-26 13:38:41 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-08-26 13:38:41 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-08-26 13:32:31 77312 ----a-w- c:\windows\MBR.exe
2010-08-26 13:32:31 256512 ----a-w- c:\windows\PEV.exe
2010-08-26 13:32:30 98816 ----a-w- c:\windows\sed.exe
2010-08-26 13:32:30 161792 ----a-w- c:\windows\SWREG.exe
2010-08-26 13:27:13 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-26 13:27:13 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-26 13:27:11 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-26 13:27:11 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-26 13:27:11 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-26 13:27:10 0 d-----w- c:\program files\Symantec
2010-08-26 13:27:10 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-26 13:26:39 0 d-----w- c:\windows\system32\drivers\N360
2010-08-26 13:26:34 0 d-----w- c:\program files\Norton Security Suite
2010-08-26 13:26:24 0 d-----w- c:\programdata\NortonInstaller
2010-08-26 13:26:24 0 d-----w- c:\program files\NortonInstaller
2010-08-26 13:25:41 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-08-26 13:25:29 132608 ----a-w- c:\windows\system32\cabview.dll
2010-08-26 13:24:53 0 d-----w- c:\programdata\Norton
2010-08-26 13:20:46 778150 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-08-26 13:20:26 375808 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2010-08-26 13:20:24 901 ----a-w- c:\windows\RtlUI2.exe.manifest
2010-08-26 13:20:24 614400 ----a-w- c:\windows\system32\Rtlihvs.dll
2010-08-26 13:20:24 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2010-08-26 13:20:24 380928 ----a-w- c:\windows\RtlUI2.exe
2010-08-26 13:20:24 188416 ----a-w- c:\windows\system32\RTLExtUI.dll
2010-08-26 13:20:24 0 d-----w- c:\program files\REALTEK
2010-08-26 13:20:07 0 d-----w- c:\windows\system32\RtlGina
2010-08-26 13:20:03 0 d-----w- c:\windows\system32\wbem\Performance
2010-08-26 13:17:46 0 d-----w- C:\Recovery

==================== Find3M ====================

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 8:29:58.27 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 04 September 2010 - 07:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 09:03 AM

I am out here and hope you can help me with my issues.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 05 September 2010 - 05:12 PM

Hi Moby49,

Can you tell me what tells you that the infection is still there.
Posted Image
m0le is a proud member of UNITE

#5 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 05:30 PM

M0le

Well the only thing that tells me I have an infection is ComboFix. I have done everything but blast new firmware and ComboFix was still saying the wininit.exe file was infected. Everything else I have run including MalwareBytes shows the machine is clean.

However, someone was able to hijack my wife's Facebook account and run some unauthorized charge on one of my credit cards so I felt something was compromised.

Moby49

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 05 September 2010 - 05:51 PM

Do you still have the Combofix log?
Posted Image
m0le is a proud member of UNITE

#7 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 06:17 PM

M0le

Sure can, see attached file.

Moby49

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 05 September 2010 - 06:32 PM

Let's look for a backup copy and replace the wininit.exe file. It may not actually be infected but it's safer to replace it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    wininit.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#9 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 06:49 PM

I assume it will be as simple as renaming the current file and moving the new file into its place. I have to get the machine away from my wife to replace the file. Not sure if I can get her off the machine tonight. Facebook is apparently pretty addictive. Personally it is like gossiping if you ask me.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 05 September 2010 - 07:10 PM

No problem thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#11 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 07:36 PM

M0le

She jumped off the computer and I ran the program. The log is attached.

Moby49

Attached Files



#12 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 05 September 2010 - 07:39 PM

Sorry I didn't upload properly.

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 05 September 2010 - 07:58 PM

As you correctly said we are now going to replace the file via Combofix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
FCopy::
C:\Windows\ERDNT\cache\wininit.exe | C:\Windows\System32\wininit.exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 Moby49

Moby49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 06 September 2010 - 10:26 AM

M0le

I ran ComboFix as you suggested and was pleasantly surprised to see that it did not indicate that it found any infections as far as I could tell. Perhaps I was looking at the wrong things. In any case I have attached the log file as you requested.

Moby49

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:51 PM

Posted 06 September 2010 - 11:27 AM

QUOTE
pleasantly surprised to see that it did not indicate that it found any infections as far as I could tell


That was because we have replaced the infected file with the back up copy.

The rest of the log looks fine now. Are there any other symptoms on the PC?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users