Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit (uacinit.dll) problem


  • Please log in to reply
16 replies to this topic

#1 Soggun

Soggun

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 27 May 2009 - 09:44 PM

I've browsed a number of topics and tried a number of different suggestions with no success. Basically, the problems I'm having consist of my computer freezing (once or twice while loading windows), more often when I load internet explorer. Also, occasionally while connected, when I open IE it will not bring up my homepage, instead saying it can't find a connection - then when I click on the Google button on my toolbar, the browser shuts down. If I try to load IE again, it comes up with no problems.

Anyway, I have Malwarebytes and SUPERAntiSpyware. I also used ATF Cleaner earlier and did a full system scan after that with SAS, which found nothing. mbam, however, is finding two files everytime (uacinit.dll and a registry key [rootkit.trace]). It is able to delete the registry key but says it needs a restart to get rid of uacinit.dll, but then the restart never helps as running mbam simply finds it again.

I should also note I had to rename mbam to get it to work.

Anyway, the log from my most recent scan is posted below... Any help that can be offered would be greatly appreciated. Thanks!

Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 3

5/27/2009 10:29:48 PM
mbam-log-2009-05-27 (22-29-48).txt

Scan type: Quick Scan
Objects scanned: 84303
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 27 May 2009 - 09:53 PM

I should note... I know that this is nasty bug (read quite a bit about it at this point) and that my comp/info may already be compromised. At this point I'd like to see what I can do without totally reformatting and reinstalling my OS. If that's unavoidable, it is what it is, but if there's a way to get rid of it short of that I'd like to take a shot. Thanks.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:31 AM

Posted 27 May 2009 - 10:00 PM

Ok ,next run these.. remember ... We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.


Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Next run SDFix
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:02:31 AM

Posted 27 May 2009 - 10:02 PM

The last time I came across that UACINIT.DLL rootkit, I had to reformat and do a clean install of Windows. Maybe you'll have better luck because I don't think I found the site linked below back then. Give it a shot though. Hope it helps.
uacinit.dll removal instructions

Edited by possumbarnes, 27 May 2009 - 10:02 PM.

What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#5 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:02:31 AM

Posted 27 May 2009 - 10:03 PM

Sorry boopme. I got in right behind you. I'll be following this thread because of my last experience with this rootkit.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#6 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 12:08 AM

Thanks for the well wishes possum, and for the advice boop.

Below is a copy of the two logs (1st from SUPER - which did find the files and supposedly deleted them this time around, and the 2nd from SDFix). I should note that after I finished with SUPER I downloaded SDFix, but that did not install as it was supposed to according to the guide until I restarted in safe mode (nothing would happen when I double clicked on the install file). Also, when trying to get back into windows after finishing with SUPER (before downloading SDFix) my computer seemed to stall out when trying to enter windows, but that seemed to correct itself and windows loaded normally after restarting...

So far, since running SDFix I haven't noticed any problems, but it's probably too small a sample size of time to mean anything... Anyway, thanks again. Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2009 at 00:30 AM

Application Version : 4.26.1004

Core Rules Database Version : 3912
Trace Rules Database Version: 1856

Scan type : Complete Scan
Total Scan Time : 01:17:41

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 5818
Registry threats detected : 59
File items scanned : 51280
File threats detected : 0

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init



SDFix: Version 1.240
Run by Will on Thu 05/28/2009 at 12:52 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 00:58:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Will\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"D:\\Program Files\\AIM\\aim.exe"="D:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\\Program Files\\TorrentSpy\\BitTorrent\\btdownloadgui.exe"="D:\\Program Files\\TorrentSpy\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"D:\\Program Files\\LimeWire\\LimeWire.exe"="D:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\America's Army\\System\\ArmyOps.exe"="D:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"D:\\Program Files\\Azureus\\Azureus.exe"="D:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Program Files\\Civilization 4\\Civilization4.exe"="D:\\Program Files\\Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"D:\\Program Files\\America Online 9.0\\waol.exe"="D:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1145072496\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1145072496\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"D:\\Program Files\\Ruckus Player\\Ruckus.exe"="D:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Xfire\\xfire.exe"="D:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"D:\\Program Files\\Warcraft III\\war3.exe"="D:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe:*:Enabled:javaw"
"D:\\Program Files\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="D:\\Program Files\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"D:\\Program Files\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="D:\\Program Files\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"D:\\Program Files\\Restaurant Empire\\re.exe"="D:\\Program Files\\Restaurant Empire\\re.exe:*:Enabled:re"
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"="C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe:*:Enabled:mlb-nexdef-autobahn"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"D:\\Program Files\\Hamachi\\hamachi.exe"="D:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"D:\\Program Files\\Soldat\\Soldat.exe"="D:\\Program Files\\Soldat\\Soldat.exe:*:Enabled:Soldat"
"D:\\Program Files\\Steam\\steamapps\\common\\buccaneer demo\\Buccaneer.exe"="D:\\Program Files\\Steam\\steamapps\\common\\buccaneer demo\\Buccaneer.exe:*:Enabled:Buccaneer: The Pursuit of Infamy Demo"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\Ventrilo\\Ventrilo.exe"="D:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"D:\\Program Files\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\HoI2.exe"="D:\\Program Files\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\HoI2.exe:*:Enabled:Hearts of Iron 2 Complete Pack"
"D:\\Program Files\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\hoi2.bat"="D:\\Program Files\\Steam\\steamapps\\common\\hearts of iron 2 complete pack\\hoi2.bat:*:Enabled:Hearts of Iron 2 Complete Pack"
"D:\\Program Files\\Steam\\steamapps\\common\\worldwide soccer manager 2009\\wsm.exe"="D:\\Program Files\\Steam\\steamapps\\common\\worldwide soccer manager 2009\\wsm.exe:*:Enabled:Worldwide Soccer Manager 2009"
"D:\\Program Files\\SlingBox\\SlingPlayer\\SlingPlayer.exe"="D:\\Program Files\\SlingBox\\SlingPlayer\\SlingPlayer.exe:*:Enabled:SlingPlayer"
"D:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"="D:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe:*:Enabled:Empire: Total War"
"D:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"="D:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe:*:Enabled:Mass Effect Game"
"D:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"="D:\\Program Files\\Mass Effect\\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher"
"D:\\Program Files\\Steam\\steamapps\\common\\x3 terran conflict\\X3TC.exe"="D:\\Program Files\\Steam\\steamapps\\common\\x3 terran conflict\\X3TC.exe:*:Enabled:X3: Terran Conflict"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 28 May 2009 6,521 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Sun 18 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 21 May 2009 16,260 ...HR --- "C:\Documents and Settings\Will\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 18 Dec 2005 4,348 ...H. --- "C:\Documents and Settings\Will\My Documents\My Music\License Backup\drmv1key.bak"
Mon 8 Sep 2008 20 A..H. --- "C:\Documents and Settings\Will\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 14 Feb 2006 400 A.SH. --- "C:\Documents and Settings\Will\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#7 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 12:13 AM

Scratch the not noticing any problems thing... My comp stalled out again upon closing and loading up IE explorer again (the mouse still moves, but nothing else responds - including trying to access the task manager)...

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:31 AM

Posted 28 May 2009 - 09:53 AM

Hi. let's try one tool,hopefully this registry will survive.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 01:24 PM

Followed the instructions as listed... Here are the results:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-28 14:21:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86CE5D30 ZwEnumerateKey
Code 86CE3760 ZwFlushInstructionCache
Code 86CE69D6 IofCallDriver
Code 86CE6B4E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 86CE69DB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 86CE6B53
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 86CE5D34
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 86CE3764
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD9917.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F60AE4F0 16 Bytes [1A, 7E, 47, BD, D6, 4D, 14, ...]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F60AE501 31 Bytes [D0, 0A, F6, 43, B3, DB, A8, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006C000A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[348] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\winlogon.exe[1344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\winlogon.exe[1344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\services.exe[1396] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\services.exe[1396] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\lsass.exe[1408] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\lsass.exe[1408] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0074000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73E589E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73FBD86] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F73E5E24] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F73E5D28] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F73E5EF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F73E5EF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F73E5E24] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F73E5D28] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73FB1AE] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F73E5A5A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F73FB04A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73E58F2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73D8AD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73D8C0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73D8B96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73D976C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73D9642] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73FBE4A] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F73EA8C6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F73FB04A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73FBE4A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F73E5CC6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F73E5CC6] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FD6EB0

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F89808
Device \Driver\dmio \Device\DmControl\DmConfig 86F89808
Device \Driver\dmio \Device\DmControl\DmPnP 86F89808
Device \Driver\dmio \Device\DmControl\DmInfo 86F89808

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F89A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F89A40
Device \Driver\Cdrom \Device\CdRom0 86C72D98
Device \FileSystem\Rdbss \Device\FsWrap 85F8C8F8
Device \Driver\00000076 \Device\00000065 sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A804BD5-E9DF-4A27-859F-3F369F897D8F} 85FBE6A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{464BFB7A-E99F-4C6C-9094-146186B11589} 85FBE6A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 85FBE6A0
Device \Driver\NetBT \Device\NetbiosSmb 85FBE6A0

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86D8F568
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86D8F568
Device \FileSystem\Npfs \Device\NamedPipe 85F94478
Device \Driver\Ftdisk \Device\FtControl 86F89A40
Device \FileSystem\Msfs \Device\Mailslot 866141C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target1Lun0 86D7F2D8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 86D7F2D8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 86D7F2D8
Device \FileSystem\Cdfs \Cdfs 86DB34D0

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACmjacxqklippwoyb.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\Daemon Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0x8D 0x9E 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x79 0xAF 0xD4 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x28 0xA2 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x46 0x45 0x7C 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6D 0x45 0xE0 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmjacxqklippwoyb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmjacxqklippwoyb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACglcupsdmshaqlci.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACqlxoepxujgdwilm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACpttugovgohwrvon.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACocnngunhcavlecq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACycynmtjlpexrjeu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACrkevdxnxudjtuft.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACtppmxygoiklkilw.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACjnbrpbntnvwdpet.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACxfxgajfavjkynld.log
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x81 0x74 0x3C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x91 0xC3 0x24 0xF4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0xD3 0x19 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x54 0x90 0x9B 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6D 0x45 0xE0 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0x8D 0x9E 0x43 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x79 0xAF 0xD4 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x28 0xA2 0x63 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x46 0x45 0x7C 0x63 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6D 0x45 0xE0 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmjacxqklippwoyb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmjacxqklippwoyb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACglcupsdmshaqlci.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACqlxoepxujgdwilm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACpttugovgohwrvon.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACocnngunhcavlecq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACycynmtjlpexrjeu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACrkevdxnxudjtuft.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACtppmxygoiklkilw.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACjnbrpbntnvwdpet.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACxfxgajfavjkynld.log

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Will\Local Settings\Temp\UAC4bf4.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACmjacxqklippwoyb.sys 52224 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\uacinit.dll 5712 bytes
File C:\WINDOWS\system32\UACocnngunhcavlecq.dll 17408 bytes executable
File C:\WINDOWS\system32\UACpttugovgohwrvon.dll 19968 bytes executable
File C:\WINDOWS\system32\UACqlxoepxujgdwilm.dat 224 bytes
File C:\WINDOWS\system32\UACrkevdxnxudjtuft.dll 66560 bytes
File C:\WINDOWS\system32\UACtppmxygoiklkilw.log 69765 bytes
File C:\WINDOWS\system32\UACycynmtjlpexrjeu.dll 19456 bytes executable
File C:\WINDOWS\system32\UACglcupsdmshaqlci.dll 24064 bytes executable

---- EOF - GMER 1.0.15 ----

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:31 AM

Posted 28 May 2009 - 01:47 PM

Ok good you removed those..

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 04:12 PM

Looks like it's still there unfortunately... I'm sensing that a reformat is probably the only solution that is likely to work :thumbsup:

Malwarebytes' Anti-Malware 1.37
Database version: 2189
Windows 5.1.2600 Service Pack 3

5/28/2009 5:07:54 PM
mbam-log-2009-05-28 (17-07-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 317728
Time elapsed: 1 hour(s), 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:31 AM

Posted 28 May 2009 - 05:08 PM

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 05:31 PM

First off, thanks so much for pointing me in the right direction here. If it's easier, I can ask on the XP forum, but I just had a couple of quick questions I was hoping you could answer... The first is whether I can use an external CD-Rom drive to reformat and subsequently reinstall XP. My second question is whether or not it would be suitable to simply use the XP CD to reformat rather than Kill Disk and Boot and Nuke as you suggested (I have no way of making a CD or floppy, so I'm not sure how I could use those resources without that ability).

Thanks again!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:31 AM

Posted 28 May 2009 - 08:41 PM

I am checking this with another
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Soggun

Soggun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 28 May 2009 - 09:54 PM

Thanks, I think I've worked it out though. The reformat/reinstallation of windows from the USB cdrom drive worked out fine and I've been using this computer (my laptop) with a usb stick to get all the drivers i need installed. You've been extremely helpful and I would have had a very, very difficult time working through this without you and the guides you posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users