Svchost.exe and email exploit troubles... [Closed]

Thank you for the Combofix log. It gave me something. My research before wasn’t giving me anything. With the new log, and me questioning every assumption I’ve made, I’ve got these possibles.

These may or may not be legit. Locate each occurance, see what it has in Properties. Legit stuff will say something like “Intel driver”. Bad stuff may be blank, or not. Doing a search on each file turned up a legit file, and a malware copycat. If not sure, hand it off to virustotal for another opinion.

These files: x264vfw.dll i263_32.drv yv12vfw.dll

These are in the Combofix log under the drivers section.

Do you have any idea what TrueTransparency.exe is?

And TMPassthru.sys? It says it’s a Trend Micro product, but a search doesn’t give any pointers to Trendmicro.com.

And I’ve found a kind of match in another forum. Follow this malware analysis, and see if it isn’t similar:

http://www.techsupportforum.com/security-center/hijackthis-log-help/resolved-hjt-threads/243892-solved-pc-being-used-sending-spam-suspect-svchost-exe.html

Read over that other forum topic first, so you’ll have an idea of what to expect, and how to proceed. Any questions, post here first. I might be able to answer them.

The instructions for removing that uniime.dll, goes like this for your CFScript.txt.

https://forums.comodo.com/virusmalware_removal_assistance/svchostexe_and_email_exploit_troubles-t23002.0.html

Collect::
C:\WINDOWS\system32\uniime32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uniime32]

Create the CFScript.txt file on your desktop, then drag-and-drop the file onto the Combofix icon, just like in the techsupportforum topic. That should get rid of the uniime32.dll.

We’re working on the edge of my skills here, so this will be a mutual learning exercise.

Ok all those DLLs you mention have nothing in the field. and there is x.264.exe in both system32 and C:\Windows.
It doesn’t have any information either. However, I am running SUPER and I just found this: http://www.bleepingcomputer.com/filedb/x.264.exe-41574.html
Nothing infected I had them all scanned.

TMPassthru.sys I’m unsure of. I did just install RUBotted, but I don’t see why it would need a .sys and I was having some trouble installing it…

TrueTransparency is a Theme Enhancement from crystalxp.

Going to go run ComboFix now… I’ll edit when done.

Edit: Ran the tool. It caught the file alright but couldn’t send it and CF-Submit.html doesn’t exist. Anyhow here’s the file: http://rapidshare.com/files/118130684/_4_-Submit_2008-05-27_17.17.zip.html

ComboFix 08-05-25.3 - Luke 2008-05-27 17:18:07.3 - NTFSx86

Running from: C:\Documents and Settings\Luke\Desktop\Computer Problem\ComboFix.exe
Command switches used :: C:\Documents and Settings\Luke\Desktop\Computer Problem\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\uniime32.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 14:50 . 2008-04-27 17:03 271,872 --a------ C:\upx.exe
2008-05-27 14:50 . 2004-05-14 13:01 32,768 --a------ C:\uniime32.dll
2008-05-26 23:00 . 2008-05-26 23:00 d-------- C:\Program Files\Trend Micro
2008-05-26 23:00 . 2008-05-26 23:00 d-------- C:\Documents and Settings\Luke\Application Data\InstallShield
2008-05-26 22:59 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-05-26 17:42 . 2008-05-26 17:42 d-------- C:\Program Files\winMd5Sum
2008-05-26 16:40 . 2008-05-26 16:40 d-------- C:\VundoFix Backups
2008-05-26 11:10 . 2008-05-26 11:10 d-------- C:\Snort
2008-05-24 22:56 . 2004-08-04 07:00 68,608 --a–c— C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-24 17:09 . 2008-05-24 19:28 d-------- C:\cygwin
2008-05-24 15:59 . 2008-05-24 15:59 98 --a------ C:\index.ini
2008-05-24 15:54 . 2008-05-24 15:54 d-------- C:\Program Files\a-squared HiJackFree
2008-05-24 13:11 . 2008-05-24 13:11 d-------- C:\Program Files\PrevxCSI
2008-05-24 13:11 . 2008-05-27 13:59 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-24 13:11 . 2008-05-24 13:11 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-05-24 13:06 . 2008-05-24 13:06 d-------- C:\Deckard
2008-05-23 23:10 . 2008-05-24 21:28 d-------- C:\Program Files\Deep System Explorer
2008-05-20 16:10 . 2008-05-20 16:10 d-------- C:\Program Files\Alwil Software
2008-05-20 16:07 . 2008-05-20 16:07 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 22:08 . 2008-05-19 22:08 d-------- C:\Documents and Settings\Luke\Application Data\Wireshark
2008-05-19 21:55 . 2008-05-19 21:57 d-------- C:\Program Files\Wireshark
2008-05-18 22:56 . 2008-05-26 14:03 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\Luke\Application Data\SUPERAntiSpyware.com
2008-05-18 22:56 . 2008-05-18 22:56 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 22:04 . 2008-05-18 22:32 d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-05-18 22:04 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-05-18 22:04 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-05-18 22:04 . 2004-08-04 07:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-05-18 22:04 . 2008-05-27 17:21 8,359 --a------ C:\WINDOWS\BOC426.INI
2008-05-18 19:37 . 2008-05-18 19:37 163 --a------ C:\WINDOWS\ieprxmon.ini
2008-05-18 19:35 . 2008-05-18 19:35 d-------- C:\Program Files\Internet Explorer Proxy Monitor
2008-05-18 11:39 . 2008-05-18 11:39 d-------- C:\Program Files\TypeFaster
2008-05-18 10:37 . 2008-05-18 10:41 d-------- C:\Program Files\Robot Battle
2008-05-17 17:08 . 2008-05-17 17:08 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-17 17:08 . 2008-05-17 17:08 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-17 17:08 . 2008-05-17 17:08 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-17 16:50 . 2008-05-17 16:50 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-16 23:20 . 2008-05-17 10:41 d-------- C:\Program Files\Hamachi(3)
2008-05-15 21:06 . 2008-05-17 10:41 d-------- C:\Program Files\LithUnwrap
2008-05-15 15:30 . 2008-05-14 17:43 573,494 --a------ C:\Documents and Settings\Luke\md3toase.exe
2008-05-15 14:16 . 2008-05-17 10:41 d-------- C:\Documents and Settings\Luke\Application Data\Anvil Studio
2008-05-15 14:13 . 2008-05-17 10:41 d-------- C:\Program Files\Anvil Studio
2008-05-14 17:37 . 2008-05-17 13:26 d-------- C:\gmax
2008-05-13 15:12 . 2008-05-13 15:12 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer Pro
2008-05-13 15:12 . 2008-05-13 15:20 d-------- C:\Documents and Settings\Luke\Application Data\BSplayer
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\WINDOWS\system32\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 d-------- C:\Documents and Settings\Luke\Application Data\FFSJ
2008-05-11 12:23 . 2008-05-11 12:23 704,793 --a------ C:\WINDOWS\unins000.exe
2008-05-11 12:23 . 2008-05-11 12:23 3,703 --a------ C:\WINDOWS\unins000.dat
2008-05-08 15:07 . 2008-05-08 15:11 d-------- C:\Program Files\DreMule
2008-05-02 23:15 . 2008-05-02 23:15 d-------- C:\Program Files\RayViewer 1.07
2008-05-02 15:36 . 2008-05-02 15:36 d-------- C:\Program Files\Pixelformer
2008-05-02 09:31 . 2008-05-17 10:42 d-------- C:\Documents and Settings\Luke\Application Data\AVGTOOLBAR
2008-04-29 19:57 . 2008-04-29 19:57 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 22:21 --------- d-----w C:\Program Files\CallWave
2008-05-27 22:16 --------- d-----w C:\Documents and Settings\Luke\Application Data.purple
2008-05-27 20:14 --------- d-----w C:\Documents and Settings\Luke\Application Data\gtk-2.0
2008-05-27 04:00 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-05-26 18:01 --------- d-----w C:\Program Files\Google
2008-05-25 04:50 --------- d-----w C:\Program Files\ViStart
2008-05-24 17:30 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-24 04:27 --------- d-----w C:\Program Files\Net Tools
2008-05-24 03:41 --------- d-----w C:\Program Files\e-Sword
2008-05-21 19:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Xfire
2008-05-20 02:56 --------- d-----w C:\Program Files\WinPcap
2008-05-19 03:04 --------- d-----w C:\Program Files\COMODO
2008-05-18 16:12 --------- d-----w C:\Program Files\Dictionary
2008-05-17 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-05-17 22:08 --------- d-----w C:\Documents and Settings\Luke\Application Data\Comodo
2008-05-17 21:41 --------- d-----w C:\Program Files\eMule
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\Hamachi
2008-05-17 15:41 --------- d-----w C:\Program Files\Xfire
2008-05-17 04:00 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-13 21:50 --------- d-----w C:\Program Files\TrueTransparency
2008-05-12 21:23 --------- d-----w C:\Program Files\GameSpy Arcade
2008-05-12 19:38 --------- d-----w C:\Program Files\ePSXe160
2008-05-09 21:05 --------- d-----w C:\Program Files\ZModeler
2008-05-07 20:31 --------- d-----w C:\Program Files\Thoosje Sidebar V2.3
2008-05-03 17:43 --------- d-----w C:\Documents and Settings\Luke\Application Data\FileZilla
2008-04-29 15:28 --------- d-----w C:\Program Files\NT Registry Tweaker
2008-04-26 23:59 --------- d-----w C:\Program Files\Drempels
2008-04-26 18:18 --------- d-----w C:\Documents and Settings\Luke\Application Data\flightgear.org
2008-04-25 18:45 --------- d-----w C:\Program Files\FlightGear
2008-04-22 19:34 90 ----a-w C:\Program Files\ndkoptions.txt
2008-04-21 21:00 --------- d-----w C:\Program Files\Kyodai
2008-04-19 15:12 --------- d-----w C:\Program Files\Dydelf
2008-04-17 21:33 --------- d-----w C:\Documents and Settings\Luke\Application Data\Subversion
2008-04-17 16:59 --------- d-----w C:\Program Files\Dolphin
2008-04-17 04:56 --------- d-----w C:\Program Files\RootQuest
2008-04-17 02:00 --------- d-----w C:\Documents and Settings\Luke\Application Data\Atari
2008-04-17 01:59 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-04-17 01:59 --------- d-----w C:\Documents and Settings\Luke\Application Data\Leadertech
2008-04-17 01:57 --------- d-----w C:\Program Files\Atari
2008-04-16 19:56 --------- d-----w C:\Program Files\Paint.NET
2008-04-16 04:06 --------- d-----w C:\Documents and Settings\Luke\Application Data\fltk.org
2008-04-15 22:52 --------- d-----w C:\Program Files\Pidgin
2008-04-13 03:35 --------- d-----w C:\Program Files\Maxis
2008-04-13 03:00 --------- d-----w C:\Program Files\FRONTIER GROOVE
2008-04-12 03:55 --------- d-----w C:\Program Files\PSXMemTool
2008-04-09 20:24 --------- d-----w C:\Program Files\RingThree
2008-04-09 00:37 --------- d-----w C:\Program Files\Sherlock Software
2008-04-09 00:33 --------- d-----w C:\Program Files\PF.Magic
2008-04-08 20:06 --------- d-----w C:\Program Files\FTD.COM
2008-04-08 20:05 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-04-07 19:27 --------- d-----w C:\Program Files\ScreenSaver.com
2008-04-07 18:50 --------- d-----w C:\Program Files\Kids 4 Truth International
2008-04-07 18:19 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 03:31 --------- d-----w C:\Program Files\Howie
2008-04-06 01:42 --------- d-----w C:\Program Files\iLReco the LEO IRC interface
2008-04-05 23:59 --------- d-----w C:\Program Files\AdiIRC
2008-04-04 21:13 --------- d-----w C:\Program Files\Deebot
2008-03-31 22:07 --------- d-----w C:\Program Files\Desktop Activity Recorder
2008-03-31 19:41 --------- d-----w C:\Program Files\ViRC
2008-03-28 19:02 --------- d-----w C:\Documents and Settings\Luke\Application Data\KVIrc
2008-03-28 01:38 --------- d-----w C:\Program Files\KVIrc
2008-03-27 21:50 --------- d-----w C:\Documents and Settings\Luke\Application Data\Winamp
2008-03-27 21:25 --------- d-----w C:\Program Files\Winamp
2008-03-27 20:02 --------- d-----w C:\Program Files\Acclaim Entertainment
2008-03-13 16:21 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-19 01:39 1,069,184 ----a-w C:\Documents and Settings\Luke\ivcon.exe
2007-11-25 19:46 40 ----a-w C:\Documents and Settings\Luke\language.dat
2007-11-09 00:58 1,396,736 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-13 22:38 241,664 ----a-w C:\Documents and Settings\Luke\sniffit.exe
2002-07-29 19:40 155,648 ----a-w C:\Documents and Settings\Luke\ase2prm.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvshade.exe
2002-04-12 16:29 29,184 ----a-w C:\Documents and Settings\Luke\rvcolor.exe
2002-04-12 16:29 28,672 ----a-w C:\Documents and Settings\Luke\findump.exe
2002-04-12 16:29 28,160 ----a-w C:\Documents and Settings\Luke\rvweird.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvtrans.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvmark.exe
2002-04-12 16:29 27,648 ----a-w C:\Documents and Settings\Luke\rvcenter.exe
2000-02-16 16:03 14,552 ----a-w C:\Documents and Settings\Luke\RV-DBLSD.EXE
2000-01-17 16:50 31,365 ----a-w C:\Documents and Settings\Luke\RV-SIZER.EXE
1999-12-15 22:00 19,311 ----a-w C:\Documents and Settings\Luke\RV-REMAP.EXE
1999-11-25 18:21 40,960 ----a-w C:\Documents and Settings\Luke\PRM2NCP.EXE
1997-06-09 11:27 36,864 ----a-w C:\Documents and Settings\Luke\TMD2LWO.EXE
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2004-08-04 07:00 2068608 471aeecdb0937bd3617f52772250251a C:\WINDOWS\system32\VIRepair\ntkrnlpa.exe
2004-08-04 07:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2004-08-04 07:00 2192768 cd20e140a91dea9564a89ba430b04b68 C:\WINDOWS\system32\VIRepair\ntoskrnl.exe
2004-08-04 07:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\VITrans\ntoskrnl.exe

2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 1422336 4b0011b8e35843966a3ce5685058420f C:\WINDOWS\system32\VIRepair\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( snapshot[ at ]2008-05-25_20.05.59.65 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-05-26 00:59:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat

• 2008-05-27 22:21:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
• 2008-05-27 22:21:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_528.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 07:00 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-04-01 16:16 5562368]
“COMODO Firewall Pro”=“C:\Program Files\COMODO\Firewall\cfp.exe” [2008-05-17 17:08 1572608]
“BOC-426”=“C:\PROGRA~1\Comodo\CBOClean\BOC426.exe” [2008-04-10 11:08 351480]
“TMRUBottedTray”=“C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe” [2007-12-19 00:18 288088]

C:\Documents and Settings\Luke\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-14 18:00:46 546816]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-10-29 20:03:49 416768]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-11-01 19:55:04 19968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
CallWave.lnk - C:\Program Files\CallWave\IAM.exe [2007-10-28 23:01:58 1590352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“UIHost”=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.I420”= i420vfw.dll
“msacm.l3fhg”= mp3fhg.acm
“VIDC.X264”= x264vfw.dll
“VIDC.HFYU”= huffyuv.dll
“vidc.i263”= i263_32.drv
“VIDC.YV12”= yv12vfw.dll
“msacm.ac3filter”= ac3filter.acm
“msacm.divxa32”= divxa32.acm
“msvideo3”= STVqx3tg.dll
“vidc.mpng”= C:\Program Files\t[ at ]b[u]0[/u].958\686\tabdec.dll
“vidc.mvjp”= C:\Program Files\t[ at ]b[u]0[/u].958\686\tabdec.dll
“vidc.444p”= C:\Program Files\t[ at ]b[u]0[/u].958\686\tabdec.dll
“VIDC.XFR1”= xfcodec.dll

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
–a------ 2004-09-20 01:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
–a------ 2007-11-23 22:24 249856 C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2005-04-01 16:16 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2007-10-29 21:21 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-08-17 05:39 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-10-29 14:49 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
–a------ 2007-11-20 13:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Maya5PLEHelpServer”=3 (0x3)
“WZCSVC”=2 (0x2)
“SCardSvr”=3 (0x3)
“aspnet_state”=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“True Transparency”=C:\Program Files\TrueTransparency\TrueTransparency.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
“nwiz”=nwiz.exe /install
“SoundMan”=SOUNDMAN.EXE
“WinFast Schedule”=C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\eMule\emule.exe”=
“C:\Program Files\Pidgin\pidgin.exe”=
“C:\Program Files\K’NEX\game.exe”=
“C:\Program Files\Hasbro\Boggle\Boggle.exe”=
“C:\WINDOWS\system32\dplaysvr.exe”=
“C:\Program Files\Xfire\xfire.exe”=
“C:\Program Files\Azureus\Azureus.exe”=
“C:\Program Files\CallWave\IAM.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“1317:TCP”= 1317:TCP:messenger

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5c39b5dd-85d0-11dc-a05d-ac4146196c01}]
\Shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{eab94e0c-8595-11dc-a19d-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

.

---

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 17:21:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

---

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
“ImagePath”=“??\C:\DOCUME~1\Luke\LOCALS~1\Temp\ASFWHide”
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\COMODO\CBOClean\BOCore.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.

---

.
Completion time: 2008-05-27 17:25:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 22:25:18
ComboFix2.txt 2008-05-27 18:10:22
ComboFix3.txt 2008-05-26 01:06:13

Pre-Run: 259,212,632,064 bytes free
Post-Run: 259,197,788,160 bytes free

317 — E O F — 2008-03-31 04:04:00

Currently Avast isn’t showing up in the taskbar, but I’ll see what a restart will do.
I caught 255.255.255.255:67 and 239.255.255.250:1900 on my svchost this time…

Also, my ever reoccurring Search problem, for some reason when I Click Start>>Search and type in something explorer.exe crashes. I checked my Dad’s personal PC for that DLL I just caught by using Start>>Search and now his is doing the same thing crashing explorer… sooo… As of yet he has no svchost’s sending anything suspicious on his though.

That should improve things a little bit. At least it didn’t break anything.

I notice the upx.exe and uniime.dll in C:. I’m presuming this is your work on taking that thing apart.

The submit package is a copy of the log and the uniime.dll file.

Try running PrevxCSI. Prevx.com has the writeups on the copycat drivers, and their analyzer likely will tag something. You may need to download a clean copy, if this is some malware that has “disabled” the antivirus scanners. Same with Avast, if you can’t get anywhere.

On those 3 drivers, x264vfw.dll is supposedly from Microsoft. i263_32.drv (not dll) is from Intel. Both companies put copyright notices and version details on all their stuff. If the file properties aren’t showing anything, it’s not a good sign to be legit. The yv12vfw.dll is a Helixcommunity codec. I have no idea how they might mark things.

Progress. It feels good, so long as there’s not an active back door that can undo things. And I definitely need to get my skills updated.

Yep, my Attempt at decompiling.

I ran PrevixCSI, still says nothing found. The Avast icon never came back even though it’s still running apparently.

All of those drivers were unsigned, highly unusual and nothing in summary.

I think you should send this thing to some malware labs since I uploaded it. 8)

And I definitely need to get my skills updated.

Just keeping you on the cutting edge I guess? lol jk. (:LGH)

Thanks for the help so far.

Those drivers may be pointing to something known as “Covert.Sys.Exec”. Nasty details at http://virusinfo.prevx.com/viruscenter.asp?GRP=4775600015 which sounds a lot like what you’ve been describing.

Those 3 drivers in legit form are from Windows XP SP2. The legit details from bleepingcomputer.com are

x264vfw.dll size 593,938 bytes timestamp 2006-09-13 from Microsoft
i263_32.drv size 391,680 bytes timestamp 1997-04-07 from Intel, version 2.55.012
yv12vfw.dll size 217,088 bytes timestamp 2004-01-25 from Helix, file version R1.02

Prexv.com describing the copycats as

x264vfw.dll size 550,418 bytes known malware part of “Covert.Sys.Exec” group
i263_32.drv size 125,300 bytes or 391,680 bytes - new, first encountered Dec 2007
yv12vfw.dll size 70,656 bytes or 217,088 bytes - new, first encountered 20 May 2008 (last week), packed/encrypted

If those sizes and timestamps match up for malware, or that driver is packed/encrypted, or they don’t match the SP2 versions, then I’m thinking this is the stuff we’re working against. And it is certainly new.

I’ll research the “Covert.Sys.Exec” malware, and see what cleaning techniques exist.

And I’ll definitely be forwarding any and all samples to folks who can make very good use of it.

Indeed, new and undetected. :o

x264vfw.dll 551 KB (564,224 bytes) Created Monday October 29, 2007 6:03:33PM, Modified June 09, 2007 5:14:10AM -Unsigned.
VirusTotal Report: http://www.virustotal.com/analisis/cc2d165a013766e1ba0f3694a1adfb5c

yv12vfw.dll 69.0 KB (70,656 bytes) bytes Created Monday, October 29, 2007, 6:03:34 PM Modified Sunday, January 25, 2004, 12:00:00 AM - Signed Helix YV12 YUV Codec 1.2.0.0

i263_32.drv size 382 KB (391,680 bytes) Created Monday, October 29, 2007, 6:03:33 PM Modified Monday, April 07, 1997, 6:19:00 PM -Signed Intel I.263 Video Driver 2.55.012 Copyright © 1992-1997 Intel Corporation.
You’ll notice all these dlls were done created the same time and minute. Rather unusual.

Also I ran fsmgmt.msc and found Shared folders local to have folder “IPC$” no shared path Type: Windows #Client Connections 0 Comment Remote IPC. Might be something might be nothing, dunno just thought I’d mention it.

I’ll see if I can’t get Avast Icon back, it seems to be operational all except the icon. ???

Now we know what we’re up against. Nasty little begger too.

Research so far hasn’t turned up anything other than Prevx as recognizing “Covert.Sys.Exec”. Probably other antivirus products do, but they call this malware some other name. It just makes for confusion.

This thing is a polymorphic that adds itself to end of executables, which makes cleanup a bit of a mess, and makes backups of anything with code (*.exe, *.dll, *.scr, etc etc) to be impossible. Restoring from backup just reseeds the malware. Also anything transferred to USB sticks, just like seeds in the wind and getting into a new machine.

The “IPC$” share is a normal Microsoft share, used as a standard reference for Windows networking administration.

You might try running Avast from Start → All Programs, or directly from an command prompt. But the executable may have been taken over, and so you’re not running what you think you’re running.

Note that in the research, I tripped over several “products” that supposedly do cleanup of this thing. A little research on those, turns up that at best they’re waste of time, and at worst, they install more junk malware. Something called “Spyhunter” showed up a lot, and really doesn’t have a good reputation. Traps for the unwary on this thing.

My first impression is that something like BartPE is going to be needed for cleanup, if none of the machine executables can be trusted to function properly. I need to think on that one for a bit.

On the end of my day, again. I’ll be back tomorrow, about the usual 1800 GMT.

I ran Avast from the Start Menu. It caught Net Tools “Carrier.exe” this time and identified it as Win32:Trojan-gen {VB}, nothing much else though… Although it is a little unusual NetTools has “Carrier” for a file name. ???

I’m not sure where I can compile BartPE if my computer is infected, and a Java Caffe online place is hardly any better…

I’m going to be rather busy in Real Life today, but I’ll try and get on later tonight and during the day as I can. :-\

Edit: Would Ultimate Boot CD Full be good enough? I compiled it some time ago on my computer.

I looked at the UltimateBootCD.com web page. Interesting product, with lots of good stuff in there. Notably McAfee Antivirus, although the virus database is a little dated. That might be able to run, and be able to give you some cleanup.

I’ve been doing more research on the “Covert.Sys.Exec”. The name seems to be Prevx’s grouping for malware that seems to work together. I take that as an indication that this malware is modular in construction. That means antivirus products can recognize a module here or there, but not the entire “package”. Kaspersky seems to have coverage on a lot of the elements, but calls each by some different name, and not a collective name as Prevx has.
And all of the sighting reports are new, as in the last few months, or days in some instances.

Just based on what I’ve found so far, Prevx and Kaspersky seem to be the best bet for a “crop duster” style cleaning. The trick is going to be to get them to run, as this malware seems to have defenses that are aimed specifically at antivirus products.

Two methods come to mind.

One is to run the antivirus from a readonly device, eg a CD or DVD. This presumes you can get access to a known clean machine with a burner. Install one, or better, both, or even better, as many as you can, antivirus packages on the CD from the clean machine. Then mount the CD on your machine, and run the scans.

Windows makes doing program installs a pain for things like this. I’ve found that doing an install onto a USB stick on one machine, then changing the drive letter via diskmgmt.msc to the CD, will keep all the registry details straight.

All of this presumes the malware defensive code isn’t going to intercept memory execution while the antivirus is doing the scan. If it does, the scans will come up blank. In which case, method two.

Second, is to somehow get a clean run environment. BartPE is one way of getting that environment. That presumes, again, you have access to a known clean machine. As you’ve described things, that may be a problem. Especially as I think it likely that it’d take several BartPE builds to get everything done.

A more tedious method, simply needs a “new” clean disk drive. Take the drive out of your machine, put in the new drive, and install a clean XP system and then do a BartPE build from that. Swap the drives again, and run the BartPE tools to scan the old drive. Alternatively, you could slave the old drive to the new system install, and scan from there. And be very careful about anything trying to do an autorun. If the new install gets contaminated, then zero and reinstall. Like I said, tedious. If you’re resource constrained, this may be your best bet. If there is a discount/used computer shop in your area, you could probably get a suitable drive fairly cheap. 10gig drives are almost giveaways these days.

I’ll keep digging in the research.

Well, I would like to thank you for all the support and help you’ve been. I have learned much with all the time you’ve spent on this, and I realize it to be one of the worst viruses ever.

Also, thanks for BartPE, but seeing I don’t know any clean PCs to use right now I don’t think I can compile it correctly because of this…

It has now infected Avast and was sending out 53 connections using it’s AshWebSvr.exe, just prior to posting this, I have uninstalled the anti-virus for the time being.

If you would like to try some last things, or know any one who would be willing to compensate for my hard drive to have it analyzed and get me a new one, let me know.

If all else fails I will be switching to Ubuntu soon, it has all I will ever need and I can use VirtualBox if I ever need to run Windows XP again.

It has now infected Avast and was sending out 53 connections using it's AshWebSvr.exe, just prior to posting this, I have uninstalled the anti-virus for the time being.

Somehow this doesn't surprise me. This malware likely has code to select alternative programs to take over when it finds it is being blocked. Like, somebody locked this house, try next door, and the next door, and so on. It also means that the command channel got re-established.

This is definitely professional written commercial criminal malware. The kind of stuff that I’d expect to find at the “eye of the Storm”.

The only other think that I can think to try, is to hand off to one of the other malware cleanup forums to somebody who knows more and has more cleanup experience than I have. I’ve been tracking a couple of comparable topics, as yet unresolved, on bleepingcomputer, so I’ll point to them.

If you do a switch to Ubuntu (which is an excellent choice of distributions, in my opinion) to run on the same hardware, I’d strongly suggest doing a disk zero wipe and reformat with the vendor tools on the UltimateBootCD package. “Derik’s Boot and Nuke” (also known as dban) is one of the best zero wipe utilities out there, and it’s listed as being in the UBCD package. I wouldn’t put it past this malware to bury itself down in the MBR in some semiprotected partition in an unrecognized filesystem format.

As things were going, and what I was finding in my research, it was looking more and more likely that it wasn’t going to be possible to clean this particular malware. It might be, but it’s not looking to be an easy one. Even for someone with more cleaning experience than I have.

If we’re coming to the end of this, then I’ll hold the topic open for another couple of days before marking it closed.

I’m going to close this topic, and lock it for reference. If there’s a need to have it reopened, just PM any of the moderators.