Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2ND ATTEMPT: Please Help


  • Please log in to reply
17 replies to this topic

#1 lips24

lips24

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 August 2009 - 07:04 PM

Hello all, I'm hoping someone will be able to help me with this. This is my 2nd post about this (I don't mean to be inpatient but this virus seems pretty serious).

I have a virus on my computer that originated from a pop up for "AV Care" which consequently installed this "AV Care" program on my desktop (which I removed via control panel > Add/Remove Programs). Now my computer is having the following issues...

It hijacks my IE and Firefox web browsers. If I search on a web browser and click on a search result link, it will take me to a new window tab and to a SPAM website.

I have attempted to go to System Restore but all of my previous restore dates have been deleted by the virus.

When I restart my computer I receive a message that ViewMgr has encountered an error and needs to close.

Also, random audio will stream for no reason and with no apparent program open to know where it is coming from. It is usually a commercial Ad or even sounds like a TV show. I have narrowed this down to the virus using iexplorer.exe to stream this audio. If I open my task manager and end the iexplorer.exe process the audio will stop, but it will automatically restart several times before it stops for good.

I have run SDfix, Norton Anti-Virus Corporate Edition 2000, Eset online scanner, and Ad-Aware Free Anniversary Edition.

All of these programs have found one form of Adware or Malware and claimed to remove them, but the above issues remain.

Ad-Aware consistently finds a Malware trojan named Win32.Trojan.Tdss. I ran SDfix to try and remove this but have been unsuccessful. The file name of this trojan is...


C:\WINDOWS\system32UACyrobquwnkx.dll


I am unable to actually locate this file when looking in the folder (hidden or unhidden).

Any assistance that you guys could provide would be great! Thank you for taking time to read this. :thumbsup:

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 13 August 2009 - 07:18 PM

Hello and :thumbsup: to BleepingComputer. I apologize for the delay in response, your original thread was unintentionally lost in the flood of cries for help.

You have a rootkit on your system. It is important that you follow all instructions exactly as given, and if you run into problems along the way you should stop and reply here for further instruction. Rootkits can be quite nasty but I think we can get rid of this one.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 August 2009 - 08:19 PM

Hi Blade Zephon, thank you for the quick response!

I should note that I received this error multiple times when opening the program just in case.

"Could not read the boot sector. Try adjusting the Disk Level in the Options dialog."


Here is my RootRepeal report. Lots of fun stuff!


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/13 20:11
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3963000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9769000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmokpavixbe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpkfqxmkves.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxbrtqsjtje.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxuiycdeuhy.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACypkkrviqml.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyrobquwnkx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe72.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACed.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClltkioydpb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UACd7fd.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: winlogon.exe (PID: 928) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: services.exe (PID: 976) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: lsass.exe (PID: 988) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: svchost.exe (PID: 1152) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACmokpavixbe.dll]
Process: svchost.exe (PID: 1152) Address: 0x00720000 Size: 77824

Object: Hidden Module [Name: UACyrobquwnkx.dll]
Process: svchost.exe (PID: 1152) Address: 0x00ae0000 Size: 73728

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1152) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1240) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1364) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1416) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1484) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACmokpavixbe.dll]
Process: Explorer.EXE (PID: 1888) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: spoolsv.exe (PID: 156) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: ehtray.exe (PID: 368) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: readericon45G.exe (PID: 376) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: RUNDLL32.EXE (PID: 408) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: zHotkey.exe (PID: 420) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: RTHDCPL.EXE (PID: 444) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: vptray.exe (PID: 468) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: PDUiP6600DMon.exe (PID: 476) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: iTunesHelper.exe (PID: 492) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: ctfmon.exe (PID: 516) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: PNAMain.exe (PID: 852) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 1636) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: AppleMobileDeviceService.exe (PID: 1408) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: mDNSResponder.exe (PID: 1728) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: cvpnd.exe (PID: 1776) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: defwatch.exe (PID: 1748) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: ehRecvr.exe (PID: 1096) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: ehSched.exe (PID: 248) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: rtvscan.exe (PID: 1836) Address: 0x01300000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: nvsvc32.exe (PID: 724) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: PRISMXL.SYS (PID: 760) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACed.tmpkkrviqml.dll]
Process: svchost.exe (PID: 484) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: MsgSys.EXE (PID: 2392) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: mcrdsvc.exe (PID: 2120) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: iPodService.exe (PID: 2372) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: dllhost.exe (PID: 3260) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: alg.exe (PID: 3556) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: ehmsas.exe (PID: 2800) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACypkkrviqml.dll]
Process: firefox.exe (PID: 3524) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypkkrviqml.dll]
Process: Iexplore.exe (PID: 3392) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypkkrviqml.dll]
Process: Iexplore.exe (PID: 3972) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: RootRepeal.exe (PID: 4020) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACpkfqxmkves.dll]
Process: WINWORD.EXE (PID: 4056) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACypkkrviqml.dll]
Process: Iexplore.exe (PID: 3224) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypkkrviqml.dll]
Process: Iexplore.exe (PID: 776) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UAClltkioydpb.sys

==EOF==

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 13 August 2009 - 08:23 PM

Good.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\UAClltkioydpb.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

***************************************************

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from [http://www.malwarebytes.org/mbam/database/mbam-rules.exe]here[/url] and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 August 2009 - 08:51 PM

Here is my MBAM Log. It did indeed have me reboot my computer.


Malwarebytes' Anti-Malware 1.40
Database version: 2618
Windows 5.1.2600 Service Pack 3

8/13/2009 8:48:04 PM
mbam-log-2009-08-13 (20-48-04).txt

Scan type: Quick Scan
Objects scanned: 107607
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_windev-6c1-122 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACpkfqxmkves.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACypkkrviqml.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACe72.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tk204jxO.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xvyu5i4c.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmokpavixbe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxbrtqsjtje.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACyrobquwnkx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UAClltkioydpb.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 13 August 2009 - 08:52 PM

Please run another Quick Scan, and tell me if Malwarebytes finds anything this time. I want to make sure that none of the files are regenerating.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 August 2009 - 09:00 PM

Done, MBAM did not find anything again. Here is the Log.

Malwarebytes' Anti-Malware 1.40
Database version: 2618
Windows 5.1.2600 Service Pack 3

8/13/2009 9:00:16 PM
mbam-log-2009-08-13 (21-00-16).txt

Scan type: Quick Scan
Objects scanned: 107549
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 13 August 2009 - 09:43 PM

Fantastic! I'd like us to run a cleaning utility, and then one other scanner. Please note that this scanner may take some time to run.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade


In your next reply, please include the following:
SUPERAntiSpyware log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 14 August 2009 - 07:29 AM

Here is my SuperAntiSpyware Log... Looks like everything is all taken care of!




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/14/2009 at 01:38 AM

Application Version : 4.27.1002

Core Rules Database Version : 4056
Trace Rules Database Version: 1996

Scan type : Complete Scan
Total Scan Time : 02:57:08

Memory items scanned : 256
Memory threats detected : 0
Registry items scanned : 5598
Registry threats detected : 0
File items scanned : 56107
File threats detected : 0

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 14 August 2009 - 07:47 AM

Excellent, everything looks good here! Are all your symptoms gone?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 14 August 2009 - 06:25 PM

Yup, I haven't come across any reason to believe that there may still be a virus. Thank you for all of your help! I really appreciate it. :thumbsup:

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:38 AM

Posted 14 August 2009 - 09:53 PM

Excellent! If all your issues have been resolved, then:

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above.

Next, please hide your System Files. To do this, please refer to the following guide and reverse its steps: "How To See Hidden Files in Windows."


This should give you a good start into malware free pc usage. However I do suggest to visit the following additional information listed below:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,912 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:38 AM

Posted 15 August 2009 - 12:07 AM

Hello there,

Glad things are working for you now. I found your first topic, and consequently discovered why you didn't get a reply to it: you posted logs restricted to the HiJack This forum. I'm going to go ahead and delete that topic since you have received assistance here.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 15 August 2009 - 03:32 PM

Thank you both for all of the info. This is great! I will certainly pass the word on about you guys. :thumbsup:

#15 lips24

lips24
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 15 August 2009 - 04:31 PM

Blade,

I ran RootRepeal again and UAClltkioydpb.sys is showing up under hidden services. Is this ok?



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/15 16:26
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3F0D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB856B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: zbwkgv.sys
Image Path: zbwkgv.sys
Address: 0xF765C000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UAClltkioydpb.sys

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users