Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WINDOWS\system32\uacinit.dll (Trojan.Agent)


  • This topic is locked This topic is locked
14 replies to this topic

#1 Tash11

Tash11

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 27 July 2009 - 10:49 PM

I have run MalwareBytes Anti-malware and this WINDOWS\system32\uacinit.dll (Trojan.Agent) will not delete. I haev posted in the Am i infected forum and tryed a few things then was suggested to post one in here. i have run DDS and this is the log.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Sarah Pervan at 11:43:00.42 on Tue 28/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.309 [GMT 8:00]

AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
G:\Cyberfreight\Cyber2.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sarah Pervan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row-rel&channel=au&ibd=6070503
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {31D51137-8043-41AD-8E09-CAA78B172CB7} = 203.191.160.68,61.88.88.88
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-5-3 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-6-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-22 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-22 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-22 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298776]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-3 38496]
RUnknown lvtvj;lvtvj; [x]
S2 adtwik;adtwik;c:\windows\system32\drivers\twlputc.sys --> c:\windows\system32\drivers\twlputc.sys [?]
S2 bepzsod;bepzsod;c:\windows\system32\drivers\hzdc.sys --> c:\windows\system32\drivers\hzdc.sys [?]
S2 bpjlyyo;bpjlyyo;c:\windows\system32\drivers\jkkvu.sys --> c:\windows\system32\drivers\jkkvu.sys [?]
S2 cgojxtc;cgojxtc;c:\windows\system32\drivers\atnsy.sys --> c:\windows\system32\drivers\atnsy.sys [?]
S2 cuxmk;cuxmk;c:\windows\system32\drivers\mdrxhu.sys --> c:\windows\system32\drivers\mdrxhu.sys [?]
S2 ipxdq;ipxdq;c:\windows\system32\drivers\vkxuurcx.sys --> c:\windows\system32\drivers\vkxuurcx.sys [?]
S2 iszats;iszats;c:\windows\system32\drivers\npvz.sys --> c:\windows\system32\drivers\npvz.sys [?]
S2 jcepvqgx;jcepvqgx;c:\windows\system32\drivers\qqrsv.sys --> c:\windows\system32\drivers\qqrsv.sys [?]
S2 kedwqwg;kedwqwg;c:\windows\system32\drivers\btmocbs.sys --> c:\windows\system32\drivers\btmocbs.sys [?]
S2 ldhlelx;ldhlelx;c:\windows\system32\drivers\enugfso.sys --> c:\windows\system32\drivers\enugfso.sys [?]
S2 lnulwj;lnulwj;c:\windows\system32\drivers\tumxne.sys --> c:\windows\system32\drivers\tumxne.sys [?]
S2 mlnbytt;mlnbytt;c:\windows\system32\drivers\skaqq.sys --> c:\windows\system32\drivers\skaqq.sys [?]
S2 qhezhtjh;qhezhtjh;c:\windows\system32\drivers\kndwze.sys --> c:\windows\system32\drivers\kndwze.sys [?]
S2 sfbx;sfbx;c:\windows\system32\drivers\zljux.sys --> c:\windows\system32\drivers\zljux.sys [?]
S2 uujbm;uujbm;c:\windows\system32\drivers\hkrrcci.sys --> c:\windows\system32\drivers\hkrrcci.sys [?]
S2 vupdej;vupdej;c:\windows\system32\drivers\ysonml.sys --> c:\windows\system32\drivers\ysonml.sys [?]

=============== Created Last 30 ================

2009-07-20 10:09 2 a------- c:\windows\0101120101464849.dat
2009-07-20 10:09 2 a------- c:\windows\010112010146118114.dat
2009-07-15 12:04 <DIR> --d----- c:\documents and settings\sarah pervan\DoctorWeb
2009-07-07 11:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-07 11:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-07 11:23 <DIR> --d----- c:\docume~1\sarahp~1\applic~1\SUPERAntiSpyware.com
2009-07-03 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 16:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-07-08 09:04 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 16:07 2,967,816 a------- C:\mbam-setup.exe
2009-04-30 09:43 11,952 a------- c:\windows\system32\avgrsstx.dll

============= FINISH: 11:43:23.89 ===============

Please Help!!.

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 28 July 2009 - 04:18 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 28 July 2009 - 11:24 PM

hello. Thanks for the quick reply.
i just ran Combofix and here is the log

ComboFix 09-07-28.01 - Sarah Pervan 29/07/2009 12:12.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.605 [GMT 8:00]
Running from: c:\documents and settings\Sarah Pervan\Desktop\Combo-Fix.exe
AV: AVG Internet Security Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\system32\drivers\UACylhmnkltfevqxeh.sys
c:\windows\system32\UACadubqbrpuyavyxv.dll
c:\windows\system32\UACbiivkbrknlrdgwk.dll
c:\windows\system32\UACefaujikmpaxsimu.dat
c:\windows\system32\UACewkrqpcsmmxmrjy.log
c:\windows\system32\UAChjbpluwnhmcummg.log
c:\windows\system32\UACixmlqhcxjboakwo.dat
c:\windows\system32\UACntwpmsrvnwlqjae.log
c:\windows\system32\UACoebxapdlipyvkai.dll
c:\windows\system32\UACorqplduxlxrtvwk.dll
c:\windows\system32\UACtetjixentexaoyr.dll
c:\windows\system32\UACtykoenehdxsbjxs.log

----- BITS: Possible infected sites -----

hxxp://downloadsoftwareserver.com
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 04:17 . 2004-08-03 21:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-29 04:17 . 2004-08-03 21:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-15 04:04 . 2009-07-15 04:04 -------- d-----w- c:\documents and settings\Sarah Pervan\DoctorWeb
2009-07-07 03:23 . 2009-07-07 03:23 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-07 03:23 . 2009-07-13 23:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-07 03:23 . 2009-07-13 23:52 -------- d-----w- c:\documents and settings\Sarah Pervan\Application Data\SUPERAntiSpyware.com
2009-07-03 08:11 . 2009-04-06 07:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 08:11 . 2009-04-06 07:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 08:11 . 2009-07-03 08:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 08:28 . 2009-03-03 05:56 -------- d-----w- c:\program files\Bonjour
2009-07-09 08:25 . 2009-04-09 05:20 -------- d-----w- c:\documents and settings\Sarah Pervan\Application Data\Samsung
2009-07-08 01:04 . 2008-06-22 05:04 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-21 23:56 . 2009-06-11 00:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-17 00:06 . 2008-06-22 05:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 00:30 . 2009-06-11 00:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-05-15 08:07 . 2009-05-15 08:09 2967816 ----a-w- C:\mbam-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-04-30 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-30 01:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [3/05/2007 12:49 PM 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [22/06/2008 1:04 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2008 1:04 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2008 1:04 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/01/2009 7:11 AM 298776]
S2 adtwik;adtwik;c:\windows\system32\drivers\twlputc.sys --> c:\windows\system32\drivers\twlputc.sys [?]
S2 bepzsod;bepzsod;c:\windows\system32\drivers\hzdc.sys --> c:\windows\system32\drivers\hzdc.sys [?]
S2 bpjlyyo;bpjlyyo;c:\windows\system32\drivers\jkkvu.sys --> c:\windows\system32\drivers\jkkvu.sys [?]
S2 cgojxtc;cgojxtc;c:\windows\system32\drivers\atnsy.sys --> c:\windows\system32\drivers\atnsy.sys [?]
S2 cuxmk;cuxmk;c:\windows\system32\drivers\mdrxhu.sys --> c:\windows\system32\drivers\mdrxhu.sys [?]
S2 ipxdq;ipxdq;c:\windows\system32\drivers\vkxuurcx.sys --> c:\windows\system32\drivers\vkxuurcx.sys [?]
S2 iszats;iszats;c:\windows\system32\drivers\npvz.sys --> c:\windows\system32\drivers\npvz.sys [?]
S2 jcepvqgx;jcepvqgx;c:\windows\system32\drivers\qqrsv.sys --> c:\windows\system32\drivers\qqrsv.sys [?]
S2 kedwqwg;kedwqwg;c:\windows\system32\drivers\btmocbs.sys --> c:\windows\system32\drivers\btmocbs.sys [?]
S2 ldhlelx;ldhlelx;c:\windows\system32\drivers\enugfso.sys --> c:\windows\system32\drivers\enugfso.sys [?]
S2 lnulwj;lnulwj;c:\windows\system32\drivers\tumxne.sys --> c:\windows\system32\drivers\tumxne.sys [?]
S2 mlnbytt;mlnbytt;c:\windows\system32\drivers\skaqq.sys --> c:\windows\system32\drivers\skaqq.sys [?]
S2 qhezhtjh;qhezhtjh;c:\windows\system32\drivers\kndwze.sys --> c:\windows\system32\drivers\kndwze.sys [?]
S2 sfbx;sfbx;c:\windows\system32\drivers\zljux.sys --> c:\windows\system32\drivers\zljux.sys [?]
S2 uujbm;uujbm;c:\windows\system32\drivers\hkrrcci.sys --> c:\windows\system32\drivers\hkrrcci.sys [?]
S2 vupdej;vupdej;c:\windows\system32\drivers\ysonml.sys --> c:\windows\system32\drivers\ysonml.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {31D51137-8043-41AD-8E09-CAA78B172CB7} = 203.191.160.68,61.88.88.88
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 12:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InterBaseGuardian]
"ImagePath"="c:\program files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InterBaseServer]
"ImagePath"="c:\program files\Firebird\bin\ibserver -s"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-29 12:18
ComboFix-quarantined-files.txt 2009-07-29 04:18

Pre-Run: 140,940,697,600 bytes free
Post-Run: 141,506,682,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

170 --- E O F --- 2009-05-14 00:06

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 29 July 2009 - 01:43 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
adtwik
bepzsod
bpjlyyo
cgojxtc
cuxmk
ipxdq
iszats
jcepvqgx
kedwqwg
ldhlelx
lnulwj
mlnbytt
qhezhtjh
sfbx
uujbm
vupdej

File::
c:\windows\system32\drivers\twlputc.sys
c:\windows\system32\drivers\hzdc.sys
c:\windows\system32\drivers\jkkvu.sys
c:\windows\system32\drivers\atnsy.sys
c:\windows\system32\drivers\mdrxhu.sys
c:\windows\system32\drivers\vkxuurcx.sys
c:\windows\system32\drivers\npvz.sys
c:\windows\system32\drivers\qqrsv.sys
c:\windows\system32\drivers\btmocbs.sys
c:\windows\system32\drivers\enugfso.sys
c:\windows\system32\drivers\tumxne.sys
c:\windows\system32\drivers\skaqq.sys
c:\windows\system32\drivers\kndwze.sys
c:\windows\system32\drivers\zljux.sys
c:\windows\system32\drivers\hkrrcci.sys
c:\windows\system32\drivers\ysonml.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 29 July 2009 - 11:23 PM

just done that step.

i saved the log but cant seem to find it anywhere. not to sure what happened?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 29 July 2009 - 11:45 PM

Did you run it correctly? Did ComboFix started and run when you drag CFScript on the ComboFix icon? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 30 July 2009 - 12:00 AM

Yep.

It ran finished and restarted my computer. The log also opened then i saved it into my desktop which its not there :S

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 July 2009 - 12:06 AM

Ok, can you seek the log at C:\combofix.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 30 July 2009 - 12:09 AM

Yes it was there :thumbup2:

ComboFix 09-07-29.03 - Sarah Pervan 30/07/2009 12:09.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.387 [GMT 8:00]
Running from: c:\documents and settings\Sarah Pervan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sarah Pervan\Desktop\CFScript.txt
AV: AVG Internet Security Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\atnsy.sys"
"c:\windows\system32\drivers\btmocbs.sys"
"c:\windows\system32\drivers\enugfso.sys"
"c:\windows\system32\drivers\hkrrcci.sys"
"c:\windows\system32\drivers\hzdc.sys"
"c:\windows\system32\drivers\jkkvu.sys"
"c:\windows\system32\drivers\kndwze.sys"
"c:\windows\system32\drivers\mdrxhu.sys"
"c:\windows\system32\drivers\npvz.sys"
"c:\windows\system32\drivers\qqrsv.sys"
"c:\windows\system32\drivers\skaqq.sys"
"c:\windows\system32\drivers\tumxne.sys"
"c:\windows\system32\drivers\twlputc.sys"
"c:\windows\system32\drivers\vkxuurcx.sys"
"c:\windows\system32\drivers\ysonml.sys"
"c:\windows\system32\drivers\zljux.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADTWIK
-------\Legacy_BEPZSOD
-------\Legacy_CGOJXTC
-------\Legacy_IPXDQ
-------\Legacy_ISZATS
-------\Legacy_JCEPVQGX
-------\Legacy_KEDWQWG
-------\Legacy_LDHLELX
-------\Legacy_LNULWJ
-------\Legacy_MLNBYTT
-------\Legacy_SFBX
-------\Legacy_UUJBM
-------\Service_adtwik
-------\Service_bepzsod
-------\Service_bpjlyyo
-------\Service_cgojxtc
-------\Service_cuxmk
-------\Service_ipxdq
-------\Service_iszats
-------\Service_jcepvqgx
-------\Service_kedwqwg
-------\Service_ldhlelx
-------\Service_lnulwj
-------\Service_mlnbytt
-------\Service_qhezhtjh
-------\Service_sfbx
-------\Service_uujbm
-------\Service_vupdej


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-29 04:17 . 2004-08-03 21:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-29 04:17 . 2004-08-03 21:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-16 00:15 . 2009-07-08 01:04 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-15 04:04 . 2009-07-15 04:04 -------- d-----w- c:\documents and settings\Sarah Pervan\DoctorWeb
2009-07-07 03:23 . 2009-07-07 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-07 03:23 . 2009-07-13 23:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-07 03:23 . 2009-07-13 23:52 -------- d-----w- c:\documents and settings\Sarah Pervan\Application Data\SUPERAntiSpyware.com
2009-07-03 08:13 . 2009-07-24 04:39 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-03 08:11 . 2009-04-06 07:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 08:11 . 2009-04-06 07:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 08:11 . 2009-07-03 08:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 08:28 . 2009-03-03 05:56 -------- d-----w- c:\program files\Bonjour
2009-07-09 08:25 . 2009-04-09 05:20 -------- d-----w- c:\documents and settings\Sarah Pervan\Application Data\Samsung
2009-07-08 01:04 . 2008-06-22 05:04 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-21 23:56 . 2009-06-11 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-17 00:06 . 2008-06-22 05:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 00:30 . 2009-06-11 00:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-02 05:38 . 2009-06-11 00:41 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-05-15 08:07 . 2009-05-15 08:09 2967816 ----a-w- C:\mbam-setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_04.17.52 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-04-30 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-30 01:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [3/05/2007 12:49 PM 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [22/06/2008 1:04 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/06/2008 1:04 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22/06/2008 1:04 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/01/2009 7:11 AM 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {31D51137-8043-41AD-8E09-CAA78B172CB7} = 203.191.160.68,61.88.88.88
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InterBaseGuardian]
"ImagePath"="c:\program files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\InterBaseServer]
"ImagePath"="c:\program files\Firebird\bin\ibserver -s"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Firebird\bin\ibguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Firebird\bin\ibserver.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-07-30 12:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 04:17
ComboFix2.txt 2009-07-29 04:18

Pre-Run: 141,330,612,224 bytes free
Post-Run: 141,315,305,472 bytes free

207 --- E O F --- 2009-05-14 00:06

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 July 2009 - 12:12 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 30 July 2009 - 03:22 AM

ok just done them both
here are the results

Malwarebytes:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

30/07/2009 2:17:29 PM
mbam-log-2009-07-30 (14-17-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136296
Time elapsed: 27 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\UACbiivkbrknlrdgwk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.


ESET Scanner
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

30/07/2009 2:17:29 PM
mbam-log-2009-07-30 (14-17-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136296
Time elapsed: 27 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\UACbiivkbrknlrdgwk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

Hopefully all deleted now :thumbup2:

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 July 2009 - 09:00 AM

Where's the ESET log? You posted MBAM log twice :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 30 July 2009 - 06:58 PM

oh sorry .

here it is:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=c4d41c41f8492041bcc68127d656d6d4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-07-30 08:19:05
# local_time=2009-07-30 04:19:05 (+0800, W. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1027 21 83 68 2010962187500
# scanned=54400
# found=2
# cleaned=2
# scan_time=1582
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACylhmnkltfevqxeh.sys.vir Win32/Olmarik.JQ trojan (cleaned by deleting - quarantined) E0BAB02D685E0168B28E5F74F0B94C30 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACadubqbrpuyavyxv.dll.vir Win32/Olmarik.JQ trojan (cleaned by deleting - quarantined) E93379FA9B6E56694E1F449883D180C1 C

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 30 July 2009 - 11:03 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Tash11

Tash11
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 31 July 2009 - 12:28 AM

Thanks so much fenzodahl512, your a great help! my computer is running just like new.

Seems to be all cleaned up and u made it easy for me to do.

thanks again Tash.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users