BleepingComputer.com: Infected with uacinit.dll

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected with uacinit.dll Can't remove it

#1 User is offline   Wizzle 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 17-May 09
  • Location:Brooklyn, MI

Posted 21 May 2009 - 09:27 PM

Hi, hoping you can help me! I was told to post the HJT log here after running through a few things in the "Am I infected? What do I do?" forum.
Malwarebytes scan found uacinit.dll and can't remove it. The MBAM log shows "Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent)". Once it's done scanning, MBAM says to reboot the computer to remove it, but when I scan again, I get the same thing; it never goes away. Things I tried before posting: MBAM, Norton (which doesn't catch it at all - although an interesting thing is that now Norton's full scan doesn't scan all files anymore (only 5,000 of them) - it initially caught something called generic.200.process (or something like that) which it deleted, SuperAntiSpyware doesn't catch it at all...
Other stuff: at some point I had to rename the MBAM executable to get it to open. Operating system is Windows XP Media Center Edition.

'boopme' walked me through ATF Cleaner and SuperAntiSpyware, and the next post I got was from 'quietman7', who said uacinit.dll was a rootkit, and the next step was to come here. Topic referenced is here: http://www.bleepingcomputer.com/forums/topic227700.html ~ OB

Thank you in advance for any help you can provide!!

Here's the DDS.txt log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by steven at 22:03:59.28 on Thu 05/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.480 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\steven\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = 168.94.74.68:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174838083093
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\ayruauoe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-24 1245064]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-24 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090518.038\NAVENG.SYS [2009-5-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090518.038\NAVEX15.SYS [2009-5-19 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 194304]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-05-19 18:40 13,721 a------- c:\windows\system32\5995sparsez59.cpl
2009-05-19 13:02 8,354 a------- c:\windows\2z9cthief2540.bin
2009-05-18 19:28 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-18 18:45 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-18 05:53 12,018 a------- c:\windows\3zae5d9ware939.cpl
2009-05-18 04:06 13,569 a------- c:\windows\5090s95zl2902.bin
2009-05-17 23:54 7,423 a------- c:\windows\system32\2509zs5y2869.dll
2009-05-17 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-17 21:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-17 21:12 <DIR> --d----- c:\docume~1\steven\applic~1\SUPERAntiSpyware.com
2009-05-17 01:07 2,872 a------- c:\windows\system32\4964vi51z05.exe
2009-05-16 21:10 1,248 a------- c:\windows\system32\tmp.reg
2009-05-16 17:31 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-16 17:30 <DIR> --d----- c:\documents and settings\steven\.housecall6.6
2009-05-16 13:57 <DIR> --dsh--- c:\documents and settings\steven\PrivacIE
2009-05-16 13:54 <DIR> --dsh--- c:\documents and settings\steven\IETldCache
2009-05-16 13:48 <DIR> --d----- c:\windows\ie8updates
2009-05-16 13:48 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-16 13:46 <DIR> -cd-h--- c:\windows\ie8
2009-05-16 12:43 81,920 a------- c:\windows\system32\ieencode.dll
2009-05-16 12:34 <DIR> --d----- c:\windows\system32\scripting
2009-05-16 12:33 <DIR> --d----- c:\windows\system32\en
2009-05-16 12:33 <DIR> --d----- c:\windows\l2schemas
2009-05-16 12:33 <DIR> --d----- c:\windows\system32\bits
2009-05-16 12:30 <DIR> --d----- c:\windows\network diagnostic
2009-05-16 12:24 536,576 a------- c:\windows\system32\dllcache\msado15.dll
2009-05-16 12:14 <DIR> --d----- c:\windows\system32\URTTemp
2009-05-11 08:55 3,637 a------- c:\windows\system32\16175sp9mboz630.ocx
2009-05-10 19:21 14,541 a------- c:\windows\system32\5bz6backdo9r570.dll
2009-05-10 03:29 6,818 a------- c:\windows\system32\3533s9ywarz3001.bin
2009-05-09 18:16 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-05-09 18:06 1,193,414 a------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-08 01:08 4,458 a------- c:\windows\system32\328c9zck5oor387.cpl
2009-05-07 21:49 <DIR> --d----- c:\docume~1\steven\applic~1\Malwarebytes
2009-05-07 21:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-07 21:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 21:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-07 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-07 19:18 18,398 a------- c:\windows\system32\6e97thi5fz6529.bin
2009-05-07 00:39 12,801 a------- c:\windows\system32\5a79doznload5r3219.cpl
2009-05-06 20:15 14,998 a------- c:\windows\32z83no5-a-virus99.exe
2009-05-05 23:16 6,341 a------- c:\windows\1c54backzoor9548.ocx
2009-05-03 17:59 4,439 a------- c:\windows\16095zr5j4d8.bin
2009-05-03 15:03 3,015 a------- c:\windows\90052zorm39b.bin
2009-05-03 13:03 17,071 a------- c:\windows\system32\19z35spambot365.bin
2009-05-02 03:29 3,990 a------- c:\windows\15869hacktool6z9.bin
2009-04-28 17:30 10,649 a------- c:\windows\2z969not-a-vi5u9450.dll
2009-04-28 12:05 9,228 a------- c:\windows\6aeb5hzeat22904.ocx
2009-04-28 03:28 7,324 a------- c:\windows\system32\19759sp54ze.exe
2009-04-24 03:28 12,297 a------- c:\windows\13053noz-a-v9rus458.ocx
2009-04-23 12:30 15,676 a------- c:\windows\system32\10655zrme29.exe

==================== Find3M ====================

2009-05-17 21:42 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 19:18 7,083 a------- c:\windows\28zsp95ec.bin
2009-04-19 06:02 10,422 a------- c:\windows\system32\722spzwa9e2556.bin
2009-04-17 09:12 6,582 a------- c:\windows\system32\1756s9ezl13.dll
2009-04-17 01:55 6,781 a------- c:\windows\system32\5099b5ckzoor2235.bin
2009-04-15 09:49 9,586 a------- c:\windows\2550zpy592.bin
2009-04-14 05:52 3,481 a------- c:\windows\system32\973825pyz.bin
2009-04-12 09:54 9,347 a------- c:\windows\6085zi5999.dll
2009-04-09 00:32 9,645 a------- c:\windows\system32\z919t5al1839.dll
2009-04-03 03:07 14,127 a------- c:\windows\69bfspa5s919z9.dll
2009-04-02 09:11 5,767 a------- c:\windows\system32\5b99th5zf89.dll
2009-03-27 22:12 18,140 a------- c:\windows\system32\4399backzoor875.bin
2009-03-26 14:48 14,511 a------- c:\windows\system32\15543v9rus15bz.dll
2009-03-25 17:05 5,496 a------- c:\windows\system32\3570s5azse29359.exe
2009-03-24 14:21 8,172 a------- c:\windows\bd3sparse15z59.dll
2009-03-23 19:21 13,620 a------- c:\windows\697azhre9t3359.exe
2009-03-21 10:28 8,283 a------- c:\windows\85edownloader2795z.bin
2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 05:53 7,652 a------- c:\windows\5901bzckd5or466.dll
2009-03-15 04:02 7,666 a------- c:\windows\27919spy1za5.exe
2009-03-14 11:23 8,550 a------- c:\windows\system32\1z8979py755.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 01:29 8,805 a------- c:\windows\14591worz7c35.bin
2009-03-02 19:52 1,495,552 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-03-02 08:13 17,322 a------- c:\windows\system32\58a8spywarz2159.bin
2009-02-24 12:25 10,520 a------- c:\windows\system32\51f9vir1059z.dll
2009-02-21 08:42 5,311 a------- c:\windows\2edzsp5wa9e1717.dll
2008-10-12 18:05 848 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:05:22.59 ===============

This post has been edited by Orange Blossom: 22 May 2009 - 01:06 AM

#2 User is offline   KoanYorel 

  • Bleepin' Conundrum
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 19,461
  • Joined: 26-April 04
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA

Posted 04 June 2009 - 05:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 User is offline   Wizzle 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 17-May 09
  • Location:Brooklyn, MI

Posted 06 June 2009 - 08:53 AM

Oh, you all have good timing! I was just about to give it up and reinstall Windows! :thumbup2:

I haven't done anything more to this computer since my first post. The machine is still infected; please see first post and my other log (there's a link in the first post) for the problem and the steps we've already performed.

Here's the DDS.txt log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by steven at 9:42:42.01 on Sat 06/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.587 [GMT -4:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\steven\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = 168.94.74.68:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174838083093
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\ayruauoe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.comcast.net
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-24 1245064]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-24 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090604.002\NAVENG.SYS [2009-6-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090604.002\NAVEX15.SYS [2009-6-4 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 194304]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-06-06 09:10 15,930 a------- c:\windows\9189wo5m5cdz.cpl
2009-06-03 15:19 17,918 a------- c:\windows\90259or5446z.ocx
2009-06-02 02:01 10,194 a------- c:\windows\system32\45aasparse9096z.dll
2009-06-02 01:56 12,394 a------- c:\windows\18745ac9tool5bz.exe
2009-06-01 09:06 16,616 a------- c:\windows\system32\185thre5z16983.bin
2009-05-31 21:36 3,771 a------- c:\windows\297905zrm1a3.dll
2009-05-28 00:09 8,469 a------- c:\windows\system32\9516downloader159z.ocx
2009-05-27 12:52 11,786 a------- c:\windows\system32\32207not-9zvi5us5ae.bin
2009-05-27 06:44 15,880 a------- c:\windows\585ddownlo9der805z.ocx
2009-05-26 21:20 18,232 a------- c:\windows\system32\252a9hreaz2854.cpl
2009-05-26 16:00 8,944 a------- c:\windows\system32\49ba5hzeat19527.cpl
2009-05-26 01:51 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-23 11:59 5,406 a------- c:\windows\system32\6c78addware59z9.dll
2009-05-19 18:40 13,721 a------- c:\windows\system32\5995sparsez59.cpl
2009-05-19 13:02 8,354 a------- c:\windows\2z9cthief2540.bin
2009-05-18 19:28 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-18 18:45 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-18 05:53 12,018 a------- c:\windows\3zae5d9ware939.cpl
2009-05-18 04:06 13,569 a------- c:\windows\5090s95zl2902.bin
2009-05-17 23:54 7,423 a------- c:\windows\system32\2509zs5y2869.dll
2009-05-17 21:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-17 21:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-17 21:12 <DIR> --d----- c:\docume~1\steven\applic~1\SUPERAntiSpyware.com
2009-05-17 01:07 2,872 a------- c:\windows\system32\4964vi51z05.exe
2009-05-16 21:10 1,248 a------- c:\windows\system32\tmp.reg
2009-05-16 17:31 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-16 17:30 <DIR> --d----- c:\documents and settings\steven\.housecall6.6
2009-05-16 13:57 <DIR> --dsh--- c:\documents and settings\steven\PrivacIE
2009-05-16 13:54 <DIR> --dsh--- c:\documents and settings\steven\IETldCache
2009-05-16 13:48 <DIR> --d----- c:\windows\ie8updates
2009-05-16 13:48 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-16 13:46 <DIR> -cd-h--- c:\windows\ie8
2009-05-16 12:43 81,920 a------- c:\windows\system32\ieencode.dll
2009-05-16 12:34 <DIR> --d----- c:\windows\system32\scripting
2009-05-16 12:33 <DIR> --d----- c:\windows\system32\en
2009-05-16 12:33 <DIR> --d----- c:\windows\l2schemas
2009-05-16 12:33 <DIR> --d----- c:\windows\system32\bits
2009-05-16 12:30 <DIR> --d----- c:\windows\network diagnostic
2009-05-16 12:24 536,576 a------- c:\windows\system32\dllcache\msado15.dll
2009-05-16 12:14 <DIR> --d----- c:\windows\system32\URTTemp
2009-05-11 08:55 3,637 a------- c:\windows\system32\16175sp9mboz630.ocx
2009-05-10 19:21 14,541 a------- c:\windows\system32\5bz6backdo9r570.dll
2009-05-10 03:29 6,818 a------- c:\windows\system32\3533s9ywarz3001.bin
2009-05-09 18:16 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-05-09 18:06 1,193,414 a------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-08 01:08 4,458 a------- c:\windows\system32\328c9zck5oor387.cpl
2009-05-07 21:49 <DIR> --d----- c:\docume~1\steven\applic~1\Malwarebytes
2009-05-07 21:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-07 21:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 21:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-07 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-07 19:18 18,398 a------- c:\windows\system32\6e97thi5fz6529.bin

==================== Find3M ====================

2009-05-17 21:42 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 19:18 7,083 a------- c:\windows\28zsp95ec.bin
2009-05-06 20:15 14,998 a------- c:\windows\32z83no5-a-virus99.exe
2009-05-03 17:59 4,439 a------- c:\windows\16095zr5j4d8.bin
2009-05-03 15:03 3,015 a------- c:\windows\90052zorm39b.bin
2009-05-03 13:03 17,071 a------- c:\windows\system32\19z35spambot365.bin
2009-05-02 03:29 3,990 a------- c:\windows\15869hacktool6z9.bin
2009-04-28 17:30 10,649 a------- c:\windows\2z969not-a-vi5u9450.dll
2009-04-28 03:28 7,324 a------- c:\windows\system32\19759sp54ze.exe
2009-04-23 12:30 15,676 a------- c:\windows\system32\10655zrme29.exe
2009-04-19 06:02 10,422 a------- c:\windows\system32\722spzwa9e2556.bin
2009-04-17 09:12 6,582 a------- c:\windows\system32\1756s9ezl13.dll
2009-04-17 01:55 6,781 a------- c:\windows\system32\5099b5ckzoor2235.bin
2009-04-15 09:49 9,586 a------- c:\windows\2550zpy592.bin
2009-04-14 05:52 3,481 a------- c:\windows\system32\973825pyz.bin
2009-04-12 09:54 9,347 a------- c:\windows\6085zi5999.dll
2009-04-09 00:32 9,645 a------- c:\windows\system32\z919t5al1839.dll
2009-04-03 03:07 14,127 a------- c:\windows\69bfspa5s919z9.dll
2009-04-02 09:11 5,767 a------- c:\windows\system32\5b99th5zf89.dll
2009-03-27 22:12 18,140 a------- c:\windows\system32\4399backzoor875.bin
2009-03-26 14:48 14,511 a------- c:\windows\system32\15543v9rus15bz.dll
2009-03-25 17:05 5,496 a------- c:\windows\system32\3570s5azse29359.exe
2009-03-24 14:21 8,172 a------- c:\windows\bd3sparse15z59.dll
2009-03-23 19:21 13,620 a------- c:\windows\697azhre9t3359.exe
2009-03-21 10:28 8,283 a------- c:\windows\85edownloader2795z.bin
2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 05:53 7,652 a------- c:\windows\5901bzckd5or466.dll
2009-03-15 04:02 7,666 a------- c:\windows\27919spy1za5.exe
2009-03-14 11:23 8,550 a------- c:\windows\system32\1z8979py755.exe
2008-10-12 18:05 848 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:43:13.66 ===============


And I've attached the zipped Attach.txt file that DDS created.

Thanks so much!

Attached File(s)


#4 User is offline   syler 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,150
  • Joined: 07-November 07
  • Gender:Male
  • Location:Warrington, UK

Posted 07 June 2009 - 06:12 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.

  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.

  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.

  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image

  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then please post back here with, the Gmer log and Combofix.txt.

Thanks

This post has been edited by syler: 07 June 2009 - 06:20 PM

Posted Image
If I have helped you, and you would like to make a donation to me, click here

#5 User is offline   Wizzle 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 17-May 09
  • Location:Brooklyn, MI

Posted 08 June 2009 - 08:52 AM

After reading your post, we're sufficiently freaked out! :thumbup2:
We've decided to reformat & reinstall the OS. We use the computer for banking and online purchases, so we have to be sure it's secure. All passwords have already been changed (on a clean machine) and the infected machine hasn't been connected to the internet for a while.

The machine is XP Media Center Edition, but we didn't receive any discs when the machine was purchased. It's a Sony, so I looked on Sony's website, they have instructions on how to create system discs. But the discs are created from the infected machine - is there a chance those files could be infected, too? I'm hesitant to use the infected machine's files to recreate a system disc... it seems like I could potentially be reinstalling the same infected OS on top of the existing infected OS.
But here's the issue - I see various options for downloading the Setup discs from Microsoft, but I don't see how to get Media Center Edition - it just takes me to the page for XP Home Edition. Do you know how I can get XP Media Center Edition discs?

Thanks so much for your help.

#6 User is offline   syler 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,150
  • Joined: 07-November 07
  • Gender:Male
  • Location:Warrington, UK

Posted 08 June 2009 - 09:39 AM

It appears that XP Media Center Edition is no longer available, although Media centre does come with Vista so you could
upgrade to that. I did find a copy here if you are willing to buy it. I don't think that creating a system disk from the infected
computer would be the best idea, as you are quite heavily infected. Has this helped?
Posted Image
If I have helped you, and you would like to make a donation to me, click here

#7 User is offline   syler 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,150
  • Joined: 07-November 07
  • Gender:Male
  • Location:Warrington, UK

Posted 10 June 2009 - 08:37 AM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
If I have helped you, and you would like to make a donation to me, click here

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users