Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo infection - any help appreciated


  • This topic is locked This topic is locked
30 replies to this topic

#1 OfficerDibble

OfficerDibble

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 20 May 2009 - 11:41 AM

Hello.

My HP Pavillion zv5000 has ground to a halt because of what is, apparently, a Vundo virus.

After a few weeks of deteriorating performance the PC now won't work at all when logged on. It simply loads as far as the desktop and the stops. The mouse cursor will move but nothing can be selected or run.

However I can successfully logon in 'safe mode w/ networking' which gives me functionaility and, for instance, allows me to download and run HijackThis.

If anyone could help me get rid of this plague it'd be much appreciated...

Tx

Tony

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 20 May 2009 - 12:35 PM

Welcome to BC. OK let's run these from safe mode first and get a log.

Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 20 May 2009 - 04:46 PM

Thanks for your reply.

Although I can download it, the PC isn't letting me run SuperAntiSpyware. When logged on as the administrator a dialogue box says "The system administrator has set policies to prevent the installation."

This has never been an issue with downloaded .exe's in the past.

The ATF program did download and work though.

Sorry! Any ideas?

#4 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 20 May 2009 - 05:22 PM

Thanks for your reply.

Although I can download it, the PC isn't letting me run SuperAntiSpyware. When logged on as the administrator a dialogue box says "The system administrator has set policies to prevent the installation."

This has never been an issue with downloaded .exe's in the past.

The ATF program did download and work though.

Sorry! Any ideas?


Try running SaS off a USB Device
Try renaming to something like workas insted of super anti spyware

This could be malware preventing you from installing this program

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 20 May 2009 - 07:37 PM

If the above suggestions do not work let;s try an MBAM scan.. here are some tios that may work on both SAS or MBAM. If they work run both and post back both logs.

Some types of malware will disable MBAM (MalwareBytes) and other security tools. If MBAM will not install, try renaming it.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first
***
Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.
***
Open up command prompt, type in following commands:
XP >> click the Start menu at the lower-left of your computer's desktop and select "Run". Type cmd into the Run box and click "OK".
Vista >> click the Start menu at the lower-left of your computer's desktop and Type cmd in the search box.

regsvr32 mbamext.dll
regsvr32 ssubtmr6.dll
regsvr32 vbalsgrid6.ocx
regsvr32 zlib.dll

****

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

***
Try this random renamer for MBAM
http://kixhelp.com/wr/files/mb/randmbam.exe
****
Try using a System Retore Point prior to the date of infection. You may be able to update and run MBam. Note this did not remove the malware.
Windows XP System Restore Guide


Now run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 20 May 2009 - 09:05 PM

Hi.

Thanks for the advice.

So, I installed Super on another laptop then copied the files to the infected PC on a flash drive - long story short, it worked. I ran ATF Cleaner then ran Super. The resulting text log is below:

Tx.

Tony
=========================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/20/2009 at 09:44 PM

Application Version : 4.26.1002

Core Rules Database Version : 3904
Trace Rules Database Version: 1848

Scan type : Complete Scan
Total Scan Time : 01:12:02

Memory items scanned : 247
Memory threats detected : 1
Registry items scanned : 4445
Registry threats detected : 131
File items scanned : 51107
File threats detected : 25

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACHJDTQRHWOHOSHDT.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACHJDTQRHWOHOSHDT.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}
HKCR\CLSID\{ABD42510-9B22-41CD-9DCD-8182A2D07C63}
HKCR\CLSID\{ABD42510-9B22-41CD-9DCD-8182A2D07C63}
HKCR\CLSID\{ABD42510-9B22-41CD-9DCD-8182A2D07C63}\InProcServer32
HKCR\CLSID\{ABD42510-9B22-41CD-9DCD-8182A2D07C63}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IEHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060323-170749-462.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060323-202504-472.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060323-204101-546.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20060324-100807-479.DLL
C:\VUNDOFIX BACKUPS\MLLJI.DLL.BAD

Trojan.Unclassified/Helper-DD
HKLM\Software\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}#AppID
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32#ThreadingModel
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\Programmable
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID
HKCR\main.BHO.1
HKCR\main.BHO.1\CLSID
HKCR\main.BHO
HKCR\main.BHO\CLSID
HKCR\main.BHO\CurVer
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\FLAGS
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\HELPDIR
C:\PROGRAM FILES\COMMON\_HELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid32
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib#Version

WebsiteViewer Threat
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2E687AA8-B276-4910-BBFB-4E412F685379}
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}#AppID
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\Control
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\InprocServer32
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\InprocServer32#ThreadingModel
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\MiscStatus
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\MiscStatus\1
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\ProgID
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\ToolboxBitmap32
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\TypeLib
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\Version
HKCR\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\VersionIndependentProgID
HKCR\Citrix.WebsiteViewerActiveX.1
HKCR\Citrix.WebsiteViewerActiveX.1\CLSID
HKCR\Citrix.WebsiteViewerActiveX
HKCR\Citrix.WebsiteViewerActiveX\CLSID
HKCR\Citrix.WebsiteViewerActiveX\CurVer
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\0
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\0\win32
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\FLAGS
HKCR\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\HELPDIR
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSITEVIEWER.OCX
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSITEVIEWER.INF
HKCR\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}
HKCR\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\ProxyStubClsid
HKCR\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\ProxyStubClsid32
HKCR\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\TypeLib
HKCR\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\TypeLib#Version

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#915b3008
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#0ab500fa
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Trojan.Agent/Gen-BHONew
C:\PROGRAM FILES\COMMON\HELPER.DLL

Adware.Vundo/Variant-Joke
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-121057-125.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-121132-870.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-121218-600.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-124322-497.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-175553-540.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-190309-650.DLL

Trojan.Downloader-CREW
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-121057-864.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-121057-968.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-124322-517.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-175553-404.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20090520-190309-202.DLL
C:\VUNDOFIX BACKUPS\LDRUSFYH.DLL.BAD

Adware.SysGuard/FakeAlert-C
C:\WINDOWS\SYSGUARD.EXE

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\DSOUND3DD.DLL

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 20 May 2009 - 09:58 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 21 May 2009 - 09:18 AM

Hi - Done!


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-21 10:16:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 822E84C8 ZwEnumerateKey
Code 822E8490 ZwFlushInstructionCache
Code 822E51D6 IofCallDriver
Code 8231D41E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 822E51DB
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 8231D423
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 822E8494
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805AFD87 7 Bytes JMP 82518080
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 822E84CC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00045243
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00045243
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0004518F
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0004512A
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 000450F8
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 000454FC
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 000457AE
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 000457AE
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 000454FC
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 000457AE
IAT C:\WINDOWS\system32\services.exe[680] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00045243
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00C35243
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00C3518F
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00C3512A
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00C350F8
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00C3518F
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00C35243
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00C3518F
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00C3512A
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00C354FC
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00C357AE
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00C357AE
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00C354FC
IAT C:\WINDOWS\system32\lsass.exe[692] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00C357AE
IAT C:\WINDOWS\system32\svchost.exe[840] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00DD50F8
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B65243
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B6518F
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B6512A
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B650F8
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B654FC
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B657AE
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B657AE
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B654FC
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B657AE
IAT C:\WINDOWS\system32\svchost.exe[908] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B65243
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01215243
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0121518F
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0121512A
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 012150F8
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 012154FC
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 012157AE
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 012157AE
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 012154FC
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 012157AE
IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01215243

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdljgodhqirrduwr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACusdrnypvokawoty.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACbaswmdoymeaboyo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACirhmruuoodqjfbx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyedewxumkvdqdxs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChjdtqrhwohoshdt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACwcrqhojdnuvkefo.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClvvililtyljscmq.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACemotgvlmpbbnnaj.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdljgodhqirrduwr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACusdrnypvokawoty.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACbaswmdoymeaboyo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACirhmruuoodqjfbx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyedewxumkvdqdxs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChjdtqrhwohoshdt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACwcrqhojdnuvkefo.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClvvililtyljscmq.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACemotgvlmpbbnnaj.log
Reg HKLM\SOFTWARE\Classes\Citrix.WebsiteViewerActiveX\CLSID@ {2E687AA8-B276-4910-BBFB-4E412F685379}
Reg HKLM\SOFTWARE\Classes\Citrix.WebsiteViewerActiveX\CurVer@ Citrix.WebsiteViewerActiveX.1
Reg HKLM\SOFTWARE\Classes\Citrix.WebsiteViewerActiveX.1\CLSID@ {2E687AA8-B276-4910-BBFB-4E412F685379}
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\InprocServer32@ C:\WINDOWS\Downloaded Program Files\WebsiteViewer.ocx
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\InprocServer32@ThreadingModel apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\ProgID@ Citrix.WebsiteViewerActiveX.1
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\ToolboxBitmap32@ C:\WINDOWS\Downloaded Program Files\WebsiteViewer.ocx, 1
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\TypeLib@ {10A2FA82-969C-427C-B58D-A4A682D933E9}
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{2E687AA8-B276-4910-BBFB-4E412F685379}\VersionIndependentProgID@ Citrix.WebsiteViewerActiveX
Reg HKLM\SOFTWARE\Classes\CLSID\{7B93E81D-7368-4F45-1C1A-FF99BAA1DD2E}\InprocServer32@ C:\WINDOWS\system32\wiascr.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{7B93E81D-7368-4F45-1C1A-FF99BAA1DD2E}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7B93E81D-7368-4F45-1C1A-FF99BAA1DD2E}\ProgID@ Wia.WiaProtocol.1
Reg HKLM\SOFTWARE\Classes\CLSID\{7B93E81D-7368-4F45-1C1A-FF99BAA1DD2E}\TypeLib@ {95CEDD63-2E34-4B84-9FB3-F86AF1D4BF7A}
Reg HKLM\SOFTWARE\Classes\CLSID\{7B93E81D-7368-4F45-1C1A-FF99BAA1DD2E}\VersionIndependentProgID@ Wia.WiaProtocol
Reg HKLM\SOFTWARE\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\InProcServer32@ C:\WINDOWS\system32\iehelper.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ C:\Program Files\Common\_helper.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID@ main.BHO.1
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib@ {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Reg HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID@ main.BHO
Reg HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid32@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib@ {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Reg HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib@Version 1.0
Reg HKLM\SOFTWARE\Classes\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\ProxyStubClsid@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\ProxyStubClsid32@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\TypeLib@ {10A2FA82-969C-427C-B58D-A4A682D933E9}
Reg HKLM\SOFTWARE\Classes\Interface\{FABACF19-CA27-4213-8E14-A574FFF85822}\TypeLib@Version 1.0
Reg HKLM\SOFTWARE\Classes\main.BHO\CLSID@ {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Reg HKLM\SOFTWARE\Classes\main.BHO\CurVer@ main.BHO.1
Reg HKLM\SOFTWARE\Classes\main.BHO.1\CLSID@ {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0@ WebsiteViewerActiveX 1.0 Type Library
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\0
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\0\win32
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\0\win32@ C:\WINDOWS\Downloaded Program Files\WebsiteViewer.ocx
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\FLAGS
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\FLAGS@ 0
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\HELPDIR
Reg HKLM\SOFTWARE\Classes\TypeLib\{10A2FA82-969C-427C-B58D-A4A682D933E9}\1.0\HELPDIR@ C:\WINDOWS\Downloaded Program Files\
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0@ mainLib
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32@ C:\Program Files\Common\_helper.dll
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\FLAGS
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\FLAGS@ 0
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\HELPDIR
Reg HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\HELPDIR@ C:\Program Files\Common\

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Libby Morris\Local Settings\Temp\UACfe3d.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys 52224 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACbaswmdoymeaboyo.dll 19968 bytes executable
File C:\WINDOWS\system32\UACdljgodhqirrduwr.dll 24064 bytes executable
File C:\WINDOWS\system32\UAChjdtqrhwohoshdt.dll 66560 bytes
File C:\WINDOWS\system32\uacinit.dll 5592 bytes
File C:\WINDOWS\system32\UACirhmruuoodqjfbx.dll 17408 bytes executable
File C:\WINDOWS\system32\UACusdrnypvokawoty.dat 224 bytes
File C:\WINDOWS\system32\UACwcrqhojdnuvkefo.log 2407 bytes
File C:\WINDOWS\system32\UACyedewxumkvdqdxs.dll 19968 bytes executable

---- EOF - GMER 1.0.15 ----

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 21 May 2009 - 08:09 PM

Ok, that was good ,kicked off a couple of kits.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Full scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 21 May 2009 - 10:04 PM

Hi - log file from MBAM below. I did have to run it in safe mode though as normal start up was still stalling at the desktop.

Thanks

Tony


========
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 2

21/05/2009 22:39:58
mbam-log-2009-05-21 (22-39-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142296
Time elapsed: 30 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qjudbojcdqx (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qjudbojcdqx (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qjudbojcdqx (Rootkit.Rustock) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\SoftwareDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\SoftwareDoctor\ErrorDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Libby Morris\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\bapccyuqudii.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\SoftwareDoctor\ErrorDoctor\icon.ico (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor\ErrorDoctor.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor\Uninstall.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
C:\Documents and Settings\All Users\Desktop\ErrorDoctor.lnk (Rogue.ErrorDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 22 May 2009 - 10:57 AM

Hi,, the reboot that is needed,Im pretty certain only removes when booted to normal mode. Please try it and run again. The results will tell me the next step.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 22 May 2009 - 05:04 PM

Hi - on a reboot into normal mode this is resulting log.

Tz

Tony

========
Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 2

5/22/2009 6:01:45 PM
mbam-log-2009-05-22 (18-01-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143164
Time elapsed: 25 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 24 May 2009 - 07:34 PM

Hello now have you rebooted normally it is needed. I still see a rootkit I want to remove.

Now Uninstall GMER
We will now remove GMER.

Go to Start ---> Run ----> In the Open Field type in: C:\WINDOWS\gmer_uninstall.cmd
Now Click Ok
This shall uninstall GMER and everything related to it.


Now ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 OfficerDibble

OfficerDibble
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 25 May 2009 - 10:30 PM

Hello - Root Repeal Log is below. Thanks - Tony




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/25 23:21
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF60D8000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BAD000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF15C1000 Size: 45056 File Visible: No
Status: -

Name: UACrsmvjxsxpaoyjeo.sys
Image Path: C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Address: 0xF62AD000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACbaswmdoymeaboyo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdljgodhqirrduwr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChjdtqrhwohoshdt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACirhmruuoodqjfbx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACusdrnypvokawoty.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwcrqhojdnuvkefo.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyedewxumkvdqdxs.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\tabfqowj.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\etilqs_2XnsHcLfn7T7jaBALvCi
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\etilqs_7ry5u4wNfuCg1SPcPSLj
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: C:\Documents and Settings\Libby Morris\Local Settings\Temp\UACfe3d.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=76136&AdID=89685&TargetID=13022&Values=31,43,51,60,72,82,91,100,110,150,204,206,570,739,813,818,908,913,927,1178,1208,1283,1392,1460,1489,1668,1680,1[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[5]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[6]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[7]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\FDELSBDL\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[5]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\spacedesc=cookie&comfolder=personalfinance&keywords=%2CPolice%2B%28politics%29%2CRace%2Bissues%2B%28News%29[1].race&rand=2042427737&series=&system=article&blockVideoAds=false&
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\LGFF64WP\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\spacedesc=rightslot1&comfolder=personalfinance&keywords=%2CPolice%2B%28politics%29%2CRace%2Biss[1].race&rand=1589047042&series=&system=article&tile=3459181&blockVideoAds=false&
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[5]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=68571&AdID=92049&TargetID=14665&Segments=730,2743,3030,3285,4960,6298,6520,6582,7313,8463,8796,8808,9496,9779,9781,9784,9853,9958,10381&Targets=14665[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=58217&AdID=90448&TargetID=14665&Segments=730,2743,3030,3285,4960,6298,6520,6582,7313,8463,8796,8808,9496,9779,9781,9784,9853,9958,10381&Targets=14665[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\M8SG06JW\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\OJHVYAV5\spacedesc=01&comfolder=personalfinance&keywords=%2CPolice%2B%28politics%29%2CRace%2Bissues%2B%28News%29%2CDiscrimination%2Bat%2Bwork[1].race&system=article&blockVideoAds=false
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,8463,8796,9306,9487,9496,9505,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[5]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[3]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5855,6298,6520,6582,7215,7313,8463,8796,9487,9496,9505,9632,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\VC1F8JP0\Type=click&FlightID=50052&AdID=97005&TargetID=913&Segments=730,2259,2743,3030,3285,3434,3796,3800,4635,4960,5854,6298,6520,6582,7215,7313,7464,8463,8796,9306,9487,9496,9[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\XVBZXLOQ\spacedesc=sponsoredfeature1&comfolder=personalfinance&keywords=%2CPolice%2B%28politics%29%2CRace%2Bissues%2B%28News[1].race&rand=-933225703&system=article&blockVideoAds=false
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Anthony Singer\Local Settings\Temp\Temporary Internet Files\Content.IE5\Z6G3BD0P\spacedesc=topslot&comfolder=personalfinance&keywords=%2CPolice%2B%28politics%29%2CRace%2Bissues[1].race&rand=10239805&series=&system=article&tile=3459181&blockVideoAds=false&
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 25 May 2009 - 11:09 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:


C:\WINDOWS\system32\UACbaswmdoymeaboyo.dll

C:\WINDOWS\system32\UACdljgodhqirrduwr.dll

C:\WINDOWS\system32\UAChjdtqrhwohoshdt.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACirhmruuoodqjfbx.dll

C:\WINDOWS\system32\UACusdrnypvokawoty.dat

C:\WINDOWS\system32\UACwcrqhojdnuvkefo.log

C:\WINDOWS\system32\UACyedewxumkvdqdxs.dll

C:\WINDOWS\system32\drivers\UACrsmvjxsxpaoyjeo.sys

C:\Documents and Settings\Libby Morris\Local Settings\Temp\UACfe3d.tmp


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 25 May 2009 - 11:12 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users