Sign in to follow this  
DummyNewB

compstuih.dll and more! Big Challenge

Recommended Posts

Hello,

 

My daughters PC went a time without an updated anti-virus protection and as a result her laptop has become a problem. Ad-Aware SE Plus has detected some nasty stuff and has attempted to remove most of them. One file that has remained is the compstuih.dll file. After a few reboots it seems to have dissappeared on it's own? Is that possible? We still get pop-ups and ussually one that takes us to a WinAntiVirus page which I understand is an infection in itself. I have posted the latest HiJackThis log and the Ad-Ware Log and the Anti-Virus log from her PC for someone who may want to take on this challenge because I'm at a loss as to how to get rid of all of this junk. Any help is very much appreciated. Just let me know if you need anything else for the analisys.

 

Ron

 

 

Ad-Aware SE Plus

 

ArchiveData(auto-quarantine- 2006-09-26 11-02-10.bckp)

Referencefile : SE1R124 19.09.2006

======================================================

 

TRACKING COOKIE

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[0]=IECache Entry : Cookie:[email protected]/

 

WINANTIVIRUSPRO

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[1]=File : C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP350\A0019704.exe

 

 

Avast Anti Virus Log

 

09/10/2006 12:16

Scan of all local drives

File C:\Documents and Settings\Owner\Local Settings\Temp\mst36.tmp is infected by Win32:Klone-N [Trj], Deleted

File C:\Documents and Settings\Owner\Local Settings\Temp\mst45.tmp is infected by Win32:Klone-N [Trj], Deleted

File C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr9BA9 is infected by Win32:Trojan-gen. {Other}, Deleted

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\28QHBTWK\l11[1].exe\[upack] is infected by Win32:Zlob-HM [Trj], Deleted

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EL5Y7YLC\srvnjq[1].exe is infected by Win32:Trojan-gen. {Other}, Deleted

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EL5Y7YLC\the_sims_makin_magic_expansion_keygen[1].exe is infected by Win32:Small-BEM [Trj], Deleted

File C:\pagefile.sys is infected by Win32:Klone-N [Trj], Deleted

File C:\Program Files\InetGet2\MTE3MTk6ODoxNg.exe is infected by Win32:Trojano-2873 [Trj], Deleted

File C:\Program Files\Microsoft Works\WKSv7std.sbs is infected by Win32:SdBot-3324 [Trj], Deleted

File C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019357.dll is infected by Win32:Trojan-gen. {Other}, Deleted

File C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019381.exe is infected by Win32:Trojano-2873 [Trj], Deleted

File C:\WINDOWS\system32\winwpa32.dll is infected by Win32:Klone-N [Trj], Deleted

File C:\WINDOWS\Temp\winF.tmp.exe is infected by Win32:Trojan-gen. {Other}, Deleted

 

Number of searched folders: 3880

Number of tested files: 64035

Number of infected files: 13

 

----------------------------------------

09/10/2006 13:45

Scan of all local drives

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8LUJ4D2J\104[1].net is infected by Win32:Adware-gen. [Adw], Deleted

File C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019382.dll is infected by Win32:Klone-N [Trj], Deleted

File C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019570.dll is infected by Win32:Adware-gen. [Adw], Deleted

File C:\WINDOWS\system32\components\flx6.dll\[uPX] is infected by Win32:Renos-L [Adw], Deleted

 

Number of searched folders: 3862

Number of tested files: 63861

Number of infected files: 4

 

----------------------------------------

09/26/2006 10:05

Scan of all local drives

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJRPV5JW\bgates[1].exe\[uPX] is infected by Win32:Dialer-BN [Trj], Moved to chest

File C:\System Volume Information\_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP349\A0019663.dll\[uPX] is infected by Win32:Renos-L [Adw], Moved to chest

 

Number of searched folders: 3853

Number of tested files: 63624

Number of infected files: 2

 

HiJackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 8:55:47 PM, on 9/25/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Digital Media Reader\shwicon2k.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\BigFix\BigFix.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

F2 - REG:system.ini: UserInit=userinit.exe

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [f3351475.exe] C:\WINDOWS\system32\f3351475.exe

O4 - HKLM\..\Run: [spyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Share this post


Link to post
Share on other sites

Hi ,

 

Apologies for the late reply, we've been quite swamped in here as you can probably see.

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

 

She's got multiple problems there. Let's start with compstuih.dll which is a sign of the Delf trojan and very difficult for scanners to remove.

 

Download win32delfkil.exe.

http://users.telenet.be/marcvn/tools/win32delfkil.exe

Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c:\windelf.txt, along with a new HijackThis log.

Share this post


Link to post
Share on other sites
Sign in to follow this