Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Horrid Win32.Trojan.TDSS


  • Please log in to reply
8 replies to this topic

#1 awpitt13

awpitt13

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 11 July 2009 - 07:48 AM

AdAware has been telling me that I have Win32.Trojan.TDSS

This tojan keeps recycling itself when I run Ad-Aware and wont let me run Malwarebytes Anti-Malware. It let me install it though, but only after I changed the name. It keeps disabling permission to access the computers registry and tries to stop me from accessing my System Restore which I got around by using a vbs file to access the registry which let me ultimatly access system restore but it seems to have deleted all of my previous restore points. When I try to start in safe mode, the computer crashes and when it starts in normal mode it usually gives me a blank black screen right before its supposed to give me the logon prompt.

When I restart enough times I eventually get to my desktop and the first thing I see is Internet Explorer asking me if I want to use it as my main web browser. (I use firefox). So its obviously accessing the internet though internet explorer.

I've scoured the internets looking for ways to get rid of this recycling trojan, I've noticed that with some programs i download, I can't install or run them until I change the name of the exe. Malwarebytes doesn't run even if i change the name of it, but I had to change the name of the installation file to run that.

Every once in a while I get a random message from Internet Explorer: "Thank for your support" With the ! image.

In task manager there is always a program that runs twice called pzgkgyp.exe that resides in my TEMP folder that I can never delete, because one is always running.

I have Steam installed on my computer, and when I try to run it, it says the registry is already being used. No steam on my task manager though. In my registry files it shows two Steam folders that seem to be identical inside and out.

AdAware tells me under Category that "File: \\?\globalroot\systemroot\system32\uacmhpyobveofghobnh.dll"

I've seen other threads on this site where people have posted similar issues on very similar trojans and you've asked them to get RootRepeal and post a log. So I did that. (I logged off the internet, and turned off all my firewalls, anti virus, etc while I ran this, and didn't touch my computer until it was done)

Any help you can offer would be great!

ROOTREPEAL AD, 2007-2009
==================================================
Scan Time: 2009/07/11 06:12
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB70F3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB65C0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACbobqaqerftqwvevjo.sys
Image Path: C:\WINDOWS\system32\drivers\UACbobqaqerftqwvevjo.sys
Address: 0xB748C000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBAC00000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xB68E7000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Allocation size mismatch (API: 1, Raw: 0)

Path: C:\WINDOWS\system32\UACehrmoivhkyigsmlya.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmhpjyobveofghobnh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnuyygyvxetkajfiqt.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrfwvyxtlogkvxrnkq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtxsqettmlrvmfupay.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACukbxuuamrtlblgaqg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbbpjqeqbordlxwns.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5b4a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Installer\478cb6.msi
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbobqaqerftqwvevjo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dr. Pitt\Local Settings\Temp\UAC6e1b.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\dr. pitt\local settings\temp\etilqs_chhijl7owh7jff8hvcr2
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Dr. Pitt\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr. Pitt\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr. Pitt\Local Settings\Temporary Internet Files\Content.IE5\4N87UBWF\leftFlare[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dr. Pitt\Local Settings\Temporary Internet Files\Content.IE5\F5K1AT6F\bk[1].jpg
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: winlogon.exe (PID: 588) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: winlogon.exe (PID: 588) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: services.exe (PID: 632) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: services.exe (PID: 632) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: lsass.exe (PID: 644) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: lsass.exe (PID: 644) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 804) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 804) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACmhpjyobveofghobnh.dll]
Process: svchost.exe (PID: 804) Address: 0x009a0000 Size: 81920

Object: Hidden Module [Name: UACehrmoivhkyigsmlya.dll]
Process: svchost.exe (PID: 804) Address: 0x00a60000 Size: 73728

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 804) Address: 0x02960000 Size: 45056

Object: Hidden Module [Name: UACvbbpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 804) Address: 0x02990000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 804) Address: 0x02c80000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 804) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 876) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 876) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 876) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 972) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 972) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 972) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 1044) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 1044) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 1044) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: avgrsx.exe (PID: 1072) Address: 0x00840000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: avgrsx.exe (PID: 1072) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 1136) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 1136) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 1136) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: aawservice.exe (PID: 1288) Address: 0x00c20000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: aawservice.exe (PID: 1288) Address: 0x00d90000 Size: 49152

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: spoolsv.exe (PID: 1532) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: spoolsv.exe (PID: 1532) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: acs.exe (PID: 1576) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: acs.exe (PID: 1576) Address: 0x008c0000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 1620) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 1620) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 1620) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: HPZipm12.exe (PID: 1692) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: HPZipm12.exe (PID: 1692) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 1760) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 1760) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 1760) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: Explorer.EXE (PID: 1420) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: Explorer.EXE (PID: 1420) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: Iexplore.exe (PID: 1464) Address: 0x00bf0000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: Iexplore.exe (PID: 1464) Address: 0x00ca0000 Size: 49152

Object: Hidden Module [Name: UAC5b4a.tmpjqeqbordlxwns.dll]
Process: Iexplore.exe (PID: 1464) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: pzgkgyp.exe (PID: 128) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: pzgkgyp.exe (PID: 128) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: pzgkgyp.exe (PID: 144) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: pzgkgyp.exe (PID: 144) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: mdm.exe (PID: 180) Address: 0x00a50000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: mdm.exe (PID: 180) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: svchost.exe (PID: 996) Address: 0x00a00000 Size: 45056

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: svchost.exe (PID: 996) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACvbbpjqeqbordlxwns.dll]
Process: svchost.exe (PID: 996) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: UACukbxuuamrtlblgaqg.dll]
Process: RootRepeal.exe (PID: 824) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACtxsqettmlrvmfupay.dll]
Process: RootRepeal.exe (PID: 824) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbobqaqerftqwvevjo.sys

==EOF==

Edited by The weatherman, 11 July 2009 - 08:14 AM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:38 PM

Posted 11 July 2009 - 08:39 AM

Hello and welcome...
Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\UACehrmoivhkyigsmlya.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACmhpjyobveofghobnh.dll
C:\WINDOWS\system32\UACtxsqettmlrvmfupay.dll
C:\WINDOWS\system32\UACukbxuuamrtlblgaqg.dll
C:\WINDOWS\system32\UACvbbpjqeqbordlxwns.dll
C:\WINDOWS\system32\drivers\UACbobqaqerftqwvevjo.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 awpitt13

awpitt13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 11 July 2009 - 06:39 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 5:33:06 PM
mbam-log-2009-07-11 (17-33-06).txt

Scan type: Quick Scan
Objects scanned: 89189
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 18
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf7husjnfg98gi498aejhiugjkdg4 (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{46c166aa-3108-11d4-9348-00c04f8eeb71}\inprocserver32\(default) (Hijack.Hnetcfg) -> Bad: (\\?\globalroot\systemroot\installer\478cb6.msi) Good: (hnetcfg.dll) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Pitt\Local Settings\Temp\pzgkgyp.exe (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Pitt\Local Settings\Temp\mdm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wiwow64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tpsaxyd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\2328460224.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\2330178974.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\mrcuaa.exe (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\mxecrsnawo.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\notepad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\lko0ij8uyhg8ujuyt6hu7gnvc44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\login.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\tdl1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\tdl2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\tdl3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\tdl4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\winamp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\ecoxmnrasw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\enawxmocsr.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\eoonz.exe (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\debug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\~TM2B5.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\~TM2BE.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\system.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\carxwoenms.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\siiw28qq.exe (Rogue.AntiVirusBest) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\3437897008.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\3609764738.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\3611483488.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\538587416.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\673285810.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\806567060.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\dr. pitt\local settings\Temp\895106296.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UAC5b4a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\IVEL1E61\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\JKOVKCSQ\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\ZCDBCS59\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACehrmoivhkyigsmlya.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmhpjyobveofghobnh.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtxsqettmlrvmfupay.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACukbxuuamrtlblgaqg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACvbbpjqeqbordlxwns.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACbobqaqerftqwvevjo.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:38 PM

Posted 11 July 2009 - 07:12 PM

Hi, making some real improvements now,, Let's try running SDFix

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 awpitt13

awpitt13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 11 July 2009 - 08:59 PM

So I'm following the instructions for SDFix and I go to reboot in safemode. My computer is not letting me do this. It starts listing a bunch of file names really quickly, ends on one called ...sys32/Drivers/Mup.sys then flashes the blue screen of death and restarts.

I start up in normal mode and run Malwarebytes Anti-Malware again and come up with 20+ infected items (log below). I restart in normal mode so it can make the bad things go away on reboot then immediately restart the computer and try to boot in safemode again. Same result. I run Malwarebytes yet again and nothing shows up. I also ran it again after the very first scan and it had nothing to report.

I appreciate you helping me with this.

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 7:41:10 PM
mbam-log-2009-07-11 (19-41-10).txt

Scan type: Quick Scan
Objects scanned: 89765
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\remubiki.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lijuhidi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\huholapu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e42025a5-2449-4ae6-93e5-e13c128e9770} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e42025a5-2449-4ae6-93e5-e13c128e9770} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e42025a5-2449-4ae6-93e5-e13c128e9770} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\derebazeji (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm47aec05f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lijuhidi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\huholapu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\huholapu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\remubiki.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lijuhidi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gutodayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huholapu.dll (Trojan.Vundo.H) -> Delete on reboot.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:38 PM

Posted 12 July 2009 - 12:29 PM

Hi, since we are having a Safe mode probalem we should use some specialized tools..
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 DiaBase10

DiaBase10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 17 July 2009 - 10:39 PM

I've had problems with this nasty virus twice!

The reason that you cannot go to safe mode is that the virus scrambled a registry entry and added another on to replace it.
The scrambled entry is located at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

This is where Windows stores all the hardware information for booting into Safemode.

The virus changes the "oo" in "SafeBoot" to Unicode characters (3F for 6F) and then writes another abbreviated registry tree called:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\safeboot

Don't try this fix unless you completely understand what I'm talking about. Do yourself a favor and export the keys before deleting or modifying them just in case you don't do it right so that you can at least return to where you started.

To fix this, delete the smaller "safeboot" tree and then rename the SafeBoot key, typing over the "oo" to replace the Unicode characters.

You will probably find similar keys changed by the virus like
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Control\SafeBoot
or other ControlSets but fixing the main one should get you back into SafeMode

Another dumb registry trick this virus uses disables Windows Update by changing %SystemRoot% to %FystemRoot%.
If you find Windows Update service doesn't start, try searching the registry from every instance of %FystemRoot% and replace it with %SystemRoot%.

Oh... I forgot to mention... This virus also changes registry permissions so that you will have to give your self permission again to be able to make these corrections. I hand corrected the permissions when I first cleaned up this virus but discovered that it's better to fix the whole registry at once using a script. There are instructions many places on the internet how to do this. Here's one example:
http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx

This virus can do so many nasty little things that I have yet so se any one site with all the answers. Despite that, I've managed to clean up my machine twice, the first time taking four evenings, and the second time just two. The second time I found it easiest to pull the teeth of the virus by accessing the infected XP system through a Linux OS dualbooting on the same machine. You have to pull the teeth to make progress. There are the virus driver files but there are also hoards of 25kb infector files masquerading as your autoruns. You can see them with a process explorer like the freeware from sysinternals. The virus renames your autorun programs by putting a space before the ".exe", and then creates a 25kb infector program with the original name of the autorun program that calls the renamed program after it starts. You have to remove all the 25kb files and rename the autoruns or else the virus will reinfect you machine after boot. If you don't have a dualboot system, just rename each 25kb file to a different name, and then remove the space before the ".exe” in the real program file name, then reboot. After reboot you can go back and delete the 25kb files. You will not be able to delete the renamed 25kb files until they are not running.

This is just a beginning handling the mess caused by this virus, but I hope these explanations will help save people some time cleaning up the damage.

Edited by DiaBase10, 17 July 2009 - 10:41 PM.


#8 awpitt13

awpitt13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 31 July 2009 - 01:25 PM

Hi again, I've been out of touch for a while because I had to move across the country... anyways I was able to enable safeboot by using a .vbs file to change my registry.

I ran SDFix, here's the report

SDFix: Version 1.240
Run by Dr. Pitt on Fri 07/31/2009 at 11:54 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 12:16:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACbobqaqerftqwvevjo.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACbobqaqerftqwvevjo.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACehrmoivhkyigsmlya.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACvbbpjqeqbordlxwns.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACrfwvyxtlogkvxrnkq.dat"
"uacmask"="\\?\globalroot\systemroot\system32\UACtxsqettmlrvmfupay.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACukbxuuamrtlblgaqg.dll"
"uacmal"="\\?\globalroot\systemroot\system32\UACnuyygyvxetkajfiqt.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACmhpjyobveofghobnh.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACbobqaqerftqwvevjo.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACbobqaqerftqwvevjo.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACehrmoivhkyigsmlya.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACvbbpjqeqbordlxwns.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACrfwvyxtlogkvxrnkq.dat"
"uacmask"="\\?\globalroot\systemroot\system32\UACtxsqettmlrvmfupay.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACukbxuuamrtlblgaqg.dll"
"uacmal"="\\?\globalroot\systemroot\system32\UACnuyygyvxetkajfiqt.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACmhpjyobveofghobnh.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Vuze\\Azureus.exe"="C:\\Program Files\\Vuze\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\steamapps\\pittstop\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\pittstop\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\pittstop\\zombie panic! source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\pittstop\\zombie panic! source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\pittstop\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\pittstop\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Documents and Settings\\Dr. Pitt\\Desktop\\SteamStats\\SteamStats.exe"="C:\\Documents and Settings\\Dr. Pitt\\Desktop\\SteamStats\\SteamStats.exe:*:Enabled:SteamStats"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"="C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe:*:Enabled:Empire: Total War"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sun 13 Apr 2008 93,184 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Fri 13 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 14 Feb 2009 2,834 ...HR --- "C:\Documents and Settings\Dr. Pitt\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Dr. Pitt\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:38 PM

Posted 31 July 2009 - 01:37 PM

MBAM has been updated quite a bit in this time that's elapsed.

Go ahead and use their clean tool and redownload and update it and run a quick scan.

http://www.malwarebytes.org/mbam-clean.exe
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users