Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

twext infection


  • Please log in to reply
8 replies to this topic

#1 shrice

shrice

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 14 March 2009 - 04:27 PM

Iím getting my IE hijacked by some virus which is either opening another browser page or closing off the entire browser. When I reopen, there are two tabs there, one is the home page and the other is something else. Sometimes when the browser isnít open, something starts playing audio from an internet site until I open IE and shut to site off.
I ran AdawareAlert and found that I had something called twext.exe and a Zbot (?) called winlogon value:user init. Hijackthis found many anomalies as well. I canít seem to download the antivirus programs since something seems to block them from running. They either wonít download or I download them, they wonít run.
Iím running WindowsXP SP3 with an AMD Phenom Quad-core. What else can I tell you or do?

This is what is on one of those random sites. Itís called www.edofind.com
(http://xml.click9.com/feed.php?aid=3442&sid=95-509&auth=f183dc6758907e5106e7f67e9b15cd8f&ip=24.76.178.198&q=spore&ref=http%3A%2F%2Fwww.edotfind.com%2F%3Fq%3Dspore%26aid%3D95%26sid%3D509&num=10&useragent=Mozilla%2F4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29http://xml.click9.com/feed.php?aid=3442&sid=95-509&auth=f183dc6758907e5106e7f67e9b15cd8f&ip=24.76.178.198&q=spore&ref=http%3A%2F%2Fwww.edotfind.com%2F%3Fq%3Dspore%26aid%3D95%26sid%3D509&num=10&useragent=Mozilla%2F4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29)

What can you do for me? Any advice/help is welcome and I appreciate whatever feedback you can give.
Many thanks, Shrice

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 14 March 2009 - 06:59 PM

http://www.threatexpert.com/report.aspx?md...5e7374198d13112

We need to make sure your confidental information hasn't been stolen, your computer has been hacked, if you did any sensitive transactions I would suggest taking the appropriate measures.

If this is the case it's best to just do a clean install so you can trust the computer again

Let's see what's left


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 shrice

shrice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 14 March 2009 - 08:00 PM

Finally got through it and here is the log from MalWB. I had to run it several times, the first time had 65 bad guys, then 53, now two

Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 3

14/03/2009 7:59:40 PM
mbam-log-2009-03-14 (19-59-40).txt

Scan type: Quick Scan
Objects scanned: 68245
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 14 March 2009 - 08:07 PM

Do you have a windows xp cd?
Chewy

No. Try not. Do... or do not. There is no try.

#5 shrice

shrice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 14 March 2009 - 08:12 PM

Yes, I do have a WindowsXP CD.
I ran MWB again and got zero results for malware. Does that mean I'm clean?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 14 March 2009 - 08:34 PM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#7 shrice

shrice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 14 March 2009 - 11:23 PM

Wow! As the upstairs maid said to the Bishop, "That was a long one!" Couldn't resist.
Anyway, here it is.


GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-14 23:17:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xB9F60818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xB9F607D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F54A20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F552A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F60910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9F60794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F552C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F60866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F600B0]

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!IoCreateDevice 805758EE 5 Bytes JMP B9DD5FC6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisRegisterProtocol B9DA617F 5 Bytes JMP B9DD5DD8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter B9DA6399 5 Bytes JMP B9DD6360 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter B9DB0642 5 Bytes JMP B9DD5EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol B9DB0821 5 Bytes JMP B9DD617C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets B9DB3810 5 Bytes JMP B9DD6BD8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest B9DB397B 5 Bytes JMP B9DD6578 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend B9DB6986 5 Bytes JMP B9DD7558 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets B9DB69A3 5 Bytes JMP B9DD762A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData B9DB69BE 5 Bytes JMP B9DD6CD6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc B9DBD186 5 Bytes JMP B9DD5E42 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc B9DBE557 5 Bytes JMP B9DD5EB0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets B9DBEAF1 5 Bytes JMP B9DD7342 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B14AFB0
Device \FileSystem\Fastfat \FatCdrom 8ADC5CA0
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \FileSystem\Rdbss \Device\FsWrap 8939A2F8
Device \Driver\Cdrom \Device\CdRom0 8AF66390
Device \Driver\atapi \Device\Ide\IdePort0 8ADD26B0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8ADD26B0
Device \Driver\atapi \Device\Ide\IdePort1 8ADD26B0
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1c 8ADD26B0
Device \Driver\atapi \Device\Ide\IdePort2 8ADD26B0
Device \Driver\atapi \Device\Ide\IdePort3 8ADD26B0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 8ADD26B0
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-24 8ADD26B0
Device \Driver\Cdrom \Device\CdRom1 8AF66390
Device \Driver\Cdrom \Device\CdRom2 8AF66390
Device \FileSystem\Srv \Device\LanmanServer 8910C788
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89355E10
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89355E10
Device \FileSystem\Npfs \Device\NamedPipe 8939A1F0
Device \FileSystem\Msfs \Device\Mailslot 893EE8F0
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 8AE14F00
Device \Driver\d347prt \Device\Scsi\d347prt1 8AE14F00
Device \FileSystem\Fastfat \Fat 8ADC5CA0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8AEB8370
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8AEB8370
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8AEB8370
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8AEB8370
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8AEB8370
Device \FileSystem\Cdfs \Cdfs 893EFA38

---- Modules - GMER 1.0.15 ----

Module _________ B9EE5000-B9EFD000 (98304 bytes)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACecsfojtl.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x33 0xF5 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x93 0x15 0x1A 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x80 0xD1 0x41 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACecsfojtl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACecsfojtl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACaohmihbh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACalhqwuoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACndmxoeup.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACohsarpkl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACpjckjgws.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvyepjdhj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACtpjlkyah.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACrojyjagh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACuniqrodx.log
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x33 0xF5 0x6E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x93 0x15 0x1A 0xDE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x80 0xD1 0x41 0xB5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x33 0xF5 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x93 0x15 0x1A 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x80 0xD1 0x41 0xB5 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x33 0xF5 0x6E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x93 0x15 0x1A 0xDE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x80 0xD1 0x41 0xB5 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x33 0xF5 0x6E ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x93 0x15 0x1A 0xDE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x80 0xD1 0x41 0xB5 ...
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACecsfojtl.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACecsfojtl.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACaohmihbh.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACalhqwuoe.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACndmxoeup.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACohsarpkl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACpjckjgws.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACvyepjdhj.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACtpjlkyah.log
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACrojyjagh.log
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacerrors

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 14 March 2009 - 11:42 PM

Does that mean I'm clean?


Unfortunately you have aquired a new state of the art infection to go with that quad core cpu

UACd.sys

The tools we use here won't remove this, you would need to post in the HJT forum.

They are extremely backed up, I would remove the computer from the internet before it decides to download worse code and trashing all my data.

It's your choice
Chewy

No. Try not. Do... or do not. There is no try.

#9 shrice

shrice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 14 March 2009 - 11:49 PM

Ok, will do. Many thanks, Chewy, for all your help here. I will try HJT.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users