Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windowsclick redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 Jmcc4

Jmcc4

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 18 March 2009 - 02:26 PM

I've tried malware bytes and combofix and can not get either to run. I've tried the change of file name etc. Any other tricks I can try. I also do not have the files TDsserv? under non-plug and play.

Edited by The weatherman, 18 March 2009 - 02:36 PM.
Moved to a more appropriate forum


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 18 March 2009 - 02:49 PM

Hi and welcome.. Please note the ComboFix warning in blue text at the top of this forum. Let's try these for MBAM to get a log.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.
***
Open up command prompt, type in following commands:
XP >> click the Start menu at the lower-left of your computer's desktop and select "Run". Type cmd into the Run box and click "OK".
Vista >> click the Start menu at the lower-left of your computer's desktop and Type cmd in the search box.

regsvr32 mbamext.dll
regsvr32 ssubtmr6.dll
regsvr32 vbalsgrid6.ocx
regsvr32 zlib.dll

****

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

***
Try using a System Retore Point prior to the date of infection. You may be able to update and run MBam. Note this did not remove the malware.
Windows XP System Restore Guide

MBAM instructions if needed.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 19 March 2009 - 09:40 AM

You Rock! Got it running! Here is the log



3/19/2009 10:37:38 AM
mbam-log-2009-03-19 (10-37-38).txt

Scan type: Quick Scan
Objects scanned: 85198
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACkmkvxffh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACrqdgqoeh.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACtilpulkb.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACuwqomqnp.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACyutndjbi.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACmrwiordl.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\1001532\Local Settings\Temp\UAC691e.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC966e.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACqdlmrswi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACvmfqanqq.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACwuybowlx.dat (Trojan.Agent) -> Delete on reboot.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 19 March 2009 - 06:52 PM

Thanks but,Unfortunately this malware you have doesn't and I need to say this first.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




If you decide to continue cleaning let's start here...
S!Ri's SmitfraudFix Part1:
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by boopme, 19 March 2009 - 06:52 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 March 2009 - 07:55 AM

Here is the SmitFraudFix:


SmitFraudFix v2.405

Scan done at 8:50:06.60, Fri 03/20/2009
Run from C:\Documents and Settings\1001532\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\1001532


C:\DOCUME~1\1001532\LOCALS~1\Temp


C:\Documents and Settings\1001532\Application Data


Start Menu


C:\DOCUME~1\1001532\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\Program Files\\LANDesk\\LDClient\\softmon.exe,"
"System"=""


RK



DNS

Description: Intel® 82566DM Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 137.148.49.11
DNS Server Search Order: 137.148.49.12
DNS Server Search Order: 137.148.49.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10


Scanning for wininet.dll infection

Thanks!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 20 March 2009 - 11:01 AM

hello again ,now we'll run the Cleaner for S!Ri's SmitfraudFix
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Next run SDSFix:
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 March 2009 - 01:16 PM

Hello again! Here are the rapport.txt and report .txt

SmitFraudFix v2.405

Scan done at 13:46:30.23, Fri 03/20/2009
Run from C:\Documents and Settings\1001532\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: Intel® 82566DM Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 137.148.49.11
DNS Server Search Order: 137.148.49.12
DNS Server Search Order: 137.148.49.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{50F02FE6-02DB-40AD-A2D2-C2325C5F2741}: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=137.148.49.11 137.148.49.12 137.148.49.10


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




SDFix: Version 1.240
Run by 1001532 on Fri 03/20/2009 at 14:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 14:09:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACmrwiordl.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACmrwiordl.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACtilpulkb.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACwuybowlx.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACrqdgqoeh.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UACuwqomqnp.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACkmkvxffh.dll"
"uacmal"="\\?\globalroot\systemroot\system32\UACrmhpxjrp.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACqdlmrswi.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACyutndjbi.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UACvmfqanqq.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACuwntypey.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UACtrpwrhve.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACmrwiordl.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACmrwiordl.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACtilpulkb.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACwuybowlx.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACrqdgqoeh.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UACuwqomqnp.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACkmkvxffh.dll"
"uacmal"="\\?\globalroot\systemroot\system32\UACrmhpxjrp.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACqdlmrswi.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACyutndjbi.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UACvmfqanqq.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACuwntypey.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UACtrpwrhve.log"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk® Ping Discovery Service"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk® CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\CBA\\pds.exe"="C:\\WINDOWS\\system32\\CBA\\pds.exe:*:enabled:LANDesk® Ping Discovery Service"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:enabled:LANDesk® Targeted Multicast Client"
"%windir%\\system32\\msgsys.exe"="%windir%\\system32\\msgsys.exe:*:enabled:LANDesk® CBA Message System"
"C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe"="C:\\Program Files\\LANDesk\\LDClient\\wuser32.exe:*:enabled:Remote Control Agent"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"

Remaining Files :



Files with Hidden Attributes :

Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\1001532\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 20 March 2009 - 02:07 PM

Hiya, looking good here . Give me one more MBAM quick scan..
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 March 2009 - 03:48 PM

wow, what a process!

Malwarebytes' Anti-Malware 1.34
Database version: 1878
Windows 5.1.2600 Service Pack 3

3/20/2009 4:47:28 PM
mbam-log-2009-03-20 (16-47-28).txt

Scan type: Quick Scan
Objects scanned: 73727
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 20 March 2009 - 03:59 PM

Ok I want to get a second opinion on the rootkit.
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 23 March 2009 - 10:21 AM

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 74.53 GB
- Working disk free size : 59.71 GB (80 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys -> imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys -> group
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys -> start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys -> type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys -> imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys -> group

--------------------------------------------------------------------------------------------------------
Files: 0/102461
Registry items: 10/305842
Processes: 0/47
Scan time: 00:04:27
--------------------------------------------------------------------------------------------------------
Active processes:
- dltcfqtm.exe (PID 1872) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 644)
- csrss.exe (PID 704)
- winlogon.exe (PID 736)
- services.exe (PID 780)
- lsass.exe (PID 792)
- ati2evxx.exe (PID 972)
- svchost.exe (PID 988)
- svchost.exe (PID 1060)
- svchost.exe (PID 1172)
- svchost.exe (PID 1228)
- ati2evxx.exe (PID 1360)
- svchost.exe (PID 1444)
- aawservice.exe (PID 1556)
- spoolsv.exe (PID 1656)
- mDNSResponder.exe (PID 1780)
- residentAgent.exe (PID 1812)
- LocalSch.EXE (PID 1852)
- pds.exe (PID 1880)
- QIPCLNT.EXE (PID 2040)
- tmcsvc.exe (PID 180)
- issuser.exe (PID 228)
- LMS.exe (PID 264)
- FrameworkService.exe (PID 396)
- Mcshield.exe (PID 512)
- VsTskMgr.exe (PID 544)
- MDM.EXE (PID 576)
- svchost.exe (PID 620)
- svchost.exe (PID 1336)
- naPrdMgr.exe (PID 1608)
- alg.exe (PID 2424)
- SoftMon.exe (PID 3700)
- explorer.exe (PID 3728)
- shstat.exe (PID 3928)
- UdaterUI.exe (PID 3944)
- TBMon.exe (PID 4076)
- CTHELPER.EXE (PID 332)
- PDVDServ.exe (PID 500)
- Mctray.exe (PID 860)
- SDClientMonitor.exe (PID 932)
- realsched.exe (PID 2100)
- EEventManager.exe (PID 2368)
- ctfmon.exe (PID 1316)
- iexplore.exe (PID 4068)
- WINZIP32.EXE (PID 660)
- avirarkd.exe (PID 3236)

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 23 March 2009 - 11:11 AM

Please run Avira AntiRootkit again by following the below steps:
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • When the scan has finished, select Qurantine all
  • When done, please click OK (you may be asked to restart, if so please do so by clicking OK once more)
  • The log can be found here: C:\Program Files\Avira GmbH\Avira RootKit Detection\avirarkd.log. Please copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jmcc4

Jmcc4
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 23 March 2009 - 03:31 PM

the quarantine all stays grayed and i can not click on it. Sorry for dragging this out!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 23 March 2009 - 04:06 PM

looks like the rootkit is well dug in. That leaves us a reformat or We need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:28 PM

Posted 26 March 2009 - 08:03 PM

Hello Jmcc4,

Now that you have an HJT topic posted here: http://www.bleepingcomputer.com/forums/t/213883/rootkit/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users