Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent.ODG & uacinit.dll


  • This topic is locked This topic is locked
9 replies to this topic

#1 c00lguy20

c00lguy20

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 August 2009 - 10:50 PM

HI. I have unexplained audio playing from my computer, search engine redirection, and general system problem including system crashing and failed boots at start up.
After much difficulty, I updated Malwarebytes which detects two infections:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC is deleted, but keeps coming back, and C:\WINDOWS\system32\uacinit.dll which cannot be removed, even after reboot.

I also downloaded ESET NOD32 which cleaned out several infection but two remain.
\\?\globalroot\systemroot\system32\UACxnrvkqrclw.dll - Win32/Olmarik.IJ trojan - cleaned by deleting - quarantined [1] This infection also continues to return.
Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean

Please note, the programs funny cat, funny kitty, and Kitty are Malwarebytes renamed by me to get the program to run.
Thank you very much for any help with this problem.

DDS (Ver_09-07-30.01) - NTFSx86
Run by George at 23:03:21.93 on Thu 08/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.294 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1132106234\ee\AOLSoftware.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\George\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.queenslibrary.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar1.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Amp'd LIVE Download Manager] "c:\program files\media manager\mediamanager.exe" "c:\documents and settings\george\application data\media manager\amp'd\Main.plc"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [HostManager] c:\program files\common files\aol\1132106234\ee\AOLSoftware.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Logitech Utility] LOGI_MWX.EXE
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - c:\program files\partygaming\partygammon\RunBackGammon.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.remote.baruch.cuny.edu/lib/baruch/support/plugins/ebraryRdr.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\funnykitty\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\funnykitty\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george\applic~1\mozilla\firefox\profiles\i4dm78t1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/finance
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\george\application data\mozilla\firefox\profiles\i4dm78t1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-7 353672]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-2-24 317440]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-4-4 464264]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
RUnknown budcaymo;budcaymo; [x]
S2 idcwg;idcwg;c:\windows\system32\drivers\tzabinvw.sys --> c:\windows\system32\drivers\tzabinvw.sys [?]
S2 mwtvllof;mwtvllof;c:\windows\system32\drivers\hutwvepc.sys --> c:\windows\system32\drivers\hutwvepc.sys [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-11-15 245760]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2009-08-23 16:57 <DIR> --d----- c:\program files\ESET
2009-08-14 01:35 <DIR> --d----- C:\3beb01a6730f693d10473642
2009-08-13 00:56 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 00:56 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-11 13:53 <DIR> --d----- c:\program files\kitty
2009-08-11 13:28 <DIR> --d----- c:\program files\funnycat
2009-08-11 12:45 <DIR> --d----- c:\program files\funnykitty
2009-08-11 12:45 <DIR> --d----- c:\docume~1\george\applic~1\SUPERAntiSpyware.com
2009-08-09 05:25 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-09 05:25 1,409 a------- c:\windows\QTFont.for
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-27 22:57 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 09:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2005-07-14 15:31 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2006-06-30 20:52 56 ---shr-- c:\windows\system32\BCC61F326B.sys
2006-06-30 20:52 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-28 20:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012820090129\index.dat

============= FINISH: 23:05:38.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 10 September 2009 - 08:15 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Then, please run RootRepeal:

Download and run RootRepeal CR

Please download RootRepeal to your desktop
Alternative Download Link 2
Alternative Download Link 3
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 13 September 2009 - 04:32 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 c00lguy20

c00lguy20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 14 September 2009 - 04:32 PM

Hi Extremeboy, thank you for your reply. Sorry for my delay in responding. I am still having issues with my computer (these trojans don't fix themselves). I am unable to run the required logs at the moment, but I will do so tomorrow (9/15). Your help is greatly appreciated, as my computer is quite handicapped. I will re-post tomorrow. Thnks.
Best,
C00LGUY20

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 14 September 2009 - 08:25 PM

Okay.

Thanks for letting me know. :(

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 c00lguy20

c00lguy20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 17 September 2009 - 10:55 PM

My apologies for my extended delay in replying. Here is the requisite info. I hope I have followed the instructions accurately.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/27 23:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9D11000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AD4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: oexwa.sys
Image Path: C:\WINDOWS\system32\drivers\oexwa.sys
Address: 0xF77CE000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA943F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETeabgoeji.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys
Address: 0xA9FC1000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF72F7000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACihmbppyrne.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETnjyodrbi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETodxlqeoa.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxckkylvj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETyvxmpacs.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiqwgrfvpgb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACorigsgemkw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpuwqoirirt.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqmieilaslt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvfuiuiqakh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxnrvkqrclw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtudcyetfnn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1e12.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC385.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACee86.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf51e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACfb38.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACjnbowmvpwd.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George\Local Settings\Temp\UACdd8.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\george\local settings\application data\mozilla\firefox\profiles\i4dm78t1.default\cache\_cache_map_
Status: Allocation size mismatch (API: 280, Raw: 0)

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86b2ca60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86b2ce80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86b2d460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86b2d280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86b2cc90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86b2d0b0

Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: winlogon.exe (PID: 776) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: services.exe (PID: 824) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: lsass.exe (PID: 836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETodxlqeoa.dll]
Process: svchost.exe (PID: 1012) Address: 0x006f0000 Size: 53248

Object: Hidden Module [Name: UACihmbppyrne.dll]
Process: svchost.exe (PID: 1012) Address: 0x009b0000 Size: 73728

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1012) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1116) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MsMpEng.exe (PID: 1236) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1300) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1340) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1476) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1596) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: vsmon.exe (PID: 1648) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: spoolsv.exe (PID: 1900) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 2004) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AmazonGSDownloaderService.exe (PID: 2036) Address: 0x00900000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AOLAcsd.exe (PID: 140) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: aoltsmon.exe (PID: 176) Address: 0x003e0000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AppleMobileDeviceService.exe (PID: 228) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: aoltpspd.exe (PID: 252) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AskService.exe (PID: 284) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: mDNSResponder.exe (PID: 336) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ehRecvr.exe (PID: 368) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ehSched.exe (PID: 564) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ekrn.exe (PID: 588) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ITMRTSVC.exe (PID: 840) Address: 0x00670000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MDM.EXE (PID: 1324) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 1360) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: svchost.exe (PID: 2068) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: wanmpsvc.exe (PID: 2152) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: mcrdsvc.exe (PID: 2316) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: dllhost.exe (PID: 2688) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: alg.exe (PID: 2892) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: Explorer.EXE (PID: 3528) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ehtray.exe (PID: 3812) Address: 0x00e70000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: hkcmd.exe (PID: 3836) Address: 0x003a0000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: igfxpers.exe (PID: 3904) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: jusched.exe (PID: 3912) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: stsystra.exe (PID: 3920) Address: 0x00f10000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: IntelMEM.exe (PID: 3928) Address: 0x003e0000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: DVDLauncher.exe (PID: 3940) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: issch.exe (PID: 3948) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MpfTray.exe (PID: 3984) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AOLSoftware.exe (PID: 4000) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: mcagent.exe (PID: 4032) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ehmsas.exe (PID: 348) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MpfAgent.exe (PID: 472) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: dlccmon.exe (PID: 512) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MPFSERVICE.exe (PID: 1524) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: dlcccoms.exe (PID: 2324) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: MSASCui.exe (PID: 2464) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: iTunesHelper.exe (PID: 2752) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: LOGI_MWX.EXE (PID: 2788) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: AmazonGSDownloaderTray.exe (PID: 2824) Address: 0x00980000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: realsched.exe (PID: 2848) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: zlclient.exe (PID: 2564) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: egui.exe (PID: 2556) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: ctfmon.exe (PID: 2916) Address: 0x00d20000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: DSAgnt.exe (PID: 2968) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: TeaTimer.exe (PID: 2616) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: iPodService.exe (PID: 1404) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: wuauclt.exe (PID: 3348) Address: 0x00d50000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: firefox.exe (PID: 4532) Address: 0x00f20000 Size: 32768

Object: Hidden Module [Name: SKYNETxckkylvj.dll]
Process: RootRepeal.exe (PID: 5092) Address: 0x10000000 Size: 32768

Object: Hidden Code [ETHREAD: 0x86ef9da8]
Process: System Address: 0x86b2b790 Size: 1000

Hidden Services
-------------------
Service Name: SKYNETrmttuenx
Image Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACjnbowmvpwd.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9e2ee70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9e2ef20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9e2efe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9e2dd60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa9e2f250

==EOF==

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 23:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9D11000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA865C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETeabgoeji.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys
Address: 0xA9FC1000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7309000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACfhxrsdqqpc.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACihmbppyrne.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETnjyodrbi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETodxlqeoa.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETpxeooivn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxckkylvj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETyvxmpacs.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiqwgrfvpgb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACorigsgemkw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpuwqoirirt.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqmieilaslt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvfuiuiqakh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxnrvkqrclw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkosspuctfh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvxtbdmocfv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmbabuxtpet.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmceuqwernn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmcvdvrtqev.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmqbvpejvle.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETmttvqolbdi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETnvmtsithsi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEToiemloliwy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETombiqjibch.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETorcrnsvoyn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpxegerapfh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETpylqypqfvk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsibmimcepy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETsieqqxqyci.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETspqwmcxrch.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtrpfdibibp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETtudcyetfnn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETufduvraprp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETuwiquxxnor.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETvcrrjjxykf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbcrnsvxdiw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETbyplpxumip.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcdcvsthten.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETckixtuwore.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETcqcnprkduw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETfpfvksmixb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNEThjinvhxrbi.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETiorjkpijxy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETkkbvrppbdw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETweatpuuedj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwtrxtqibap.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETwxqusjlyex.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxkppjqfena.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxqoreqnfpy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETxqwcwmrxnl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\SKYNETyqftpeomtv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1e12.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC2636.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC351b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC46d3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe044.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACec73.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACee86.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACjnbowmvpwd.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\george\local settings\temp\etilqs_jgfl8gkpncktax69k4da
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\george\local settings\temp\etilqs_tq4xwkdz4anxjujoytiz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\George\Local Settings\Temp\UACdd8.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\eset\eset nod32 antivirus\updfiles\upd6bb6.ver
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86afea60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86afee80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86aff460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86aff280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86afec90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86aff0b0

Stealth Objects
-------------------
Object: Hidden Module [Name: UACihmbppyrne.dll]
Process: svchost.exe (PID: 1020) Address: 0x00790000 Size: 73728

Object: Hidden Module [Name: SKYNETodxlqeoa.dll]
Process: svchost.exe (PID: 1020) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: UACiqwgrfvpgb.dll]
Process: Iexplore.exe (PID: 1320) Address: 0x092e0000 Size: 217088

Object: Hidden Code [ETHREAD: 0x86bc7328]
Process: System Address: 0x86afd790 Size: 1000

Hidden Services
-------------------
Service Name: SKYNETrmttuenx
Image Path: C:\WINDOWS\system32\drivers\SKYNETeabgoeji.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACjnbowmvpwd.sys

==EOF==

I still have similar problems as originally stated. Windows does not always boot properly and sometimes takes several attempts to boot. Sometimes I can only boot in safemode, where I can run malwarebytes which helps temporarily. I get unexplained audio playing from my speakers, although it does not happen as often as before. Sometimes, firefox will crash on me. Sometimes the computer just grinds to a halt, and when I try to open task manager, I will get like 99 task manager windows. A couple of times, my computer has shut down unexpectedly and I get the blue screen message that windows has shut down to protect from damage, or something to that effect. Your help is most greatly apreciated. Thanks.

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 18 September 2009 - 03:40 PM

Hello.

You have a rootkit infection active here...

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 c00lguy20

c00lguy20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 20 September 2009 - 07:05 PM

Hi Extremeboy.
Thank you for the valuable info. After much consideration, I have decided to reformat my hard drive. Thank you for volunteering to help everyday computer users in this complicated world of trojan viruses. Feel free to close this topic.
Thanks again.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 21 September 2009 - 03:19 PM

You're welcome.

Thanks for letting me know. Format was a good decision here.

Some prevention tips below..
Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 21 September 2009 - 03:21 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users