Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Defender Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 husky1954

husky1954

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 21 March 2010 - 03:06 PM

I have a virus that calls itself XP Defender. It manifests itself as a virus checker and puts out false reports about infections. It will not let me go to the internet and puts out pop-ups about every 30 seconds. I have tried Spybot, AVG, SuperAntiSpyware, rkill and Malwarebytes. The programs appear to run(I can see them in Windows Task Manager). However, they don't do anything. When I run SuperAntiSpyware it puts out a message that says "SuperAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience." I have also tried all this in safe mode. Nothing is working.

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:55 PM

Posted 22 March 2010 - 01:47 PM

Please have a look at these removal instructions posted here. These may get you a little further. IF you are able to run Malwarebytes with these instructions, please post your log.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 23 March 2010 - 08:19 AM

Techextreme,

I was able to run Fixexe. However, the computer locked up afterward and I had to reboot. I was not able to run Mbam setup, the program looks like it's running but did not do anything. After rebooting windows automatic update installed some programs and Adobe updater started too. I now have automatic updates turned off. The good news is the popups are gone and I have access to most of the internet(windows update is blocked). I was able to down load and install Spybot. However, It will not run.

Thanks for the help I consider this a partial success. Is there anything else that can be done to get Mbam to run?

Regards,
Mike

#4 loleo

loleo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 March 2010 - 08:43 AM

Hi, im not computer pro or anything, but here is a suggestion:

A friend of mine had the infection earlier and we managed to get it partialy under controll. However i cannot guarantee this will work,
but hopefully it will help you a litle.

see if you could install MBAM on a memory stick then run the file directly from the memory stick?

#5 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:55 PM

Posted 23 March 2010 - 09:02 AM

Ok. If you're gotten exe's to work partially, I'm going to suggest a few more things.

First, once again run FixExe.Reg. We need this to complete so we can continue on with the cleaning process.

Second, and this may be completely unneeded but let's do it just for safety's sake.

Download rkill.com to your desktop.

Double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by these Rogue programs when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate these Rogue Programs. So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the instructions.

After running rkill, please try running Malwarebytes. You may have to download and reinstall it once again as mbam.exe may now be corrupted. I would suggest you do this by following these instructions.

Scan for Spyware/Adware

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

Please post the rkill log and the malwarebytes log.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#6 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 23 March 2010 - 06:49 PM

techextreme,

1. Booted the computer in safe mode.
2. Ran fixexe.reg to successful completion.
3. Downloaded and ran rkill.
4. Downloaded mbam setup. Renamed and saved as zztoy.exe. ran zztoy.exe. Installation went fine until the setup program got to "finishing installation".
This took 25 minutes. Mbam-setup finished installing. I used the default settings, update Malwarebytes and Launch Malwarebytes. After ten minutes
Malwarebytes did not update or launch. I Started it manually using a quick launch icon. Mbam showed up in Windows Task Manager but, did not do
anything. After about five minutes Mbam goes away. At this time I noticed two iterations of iexplore.exe in task manager. There is no window on the
desktop for iexplore.exe.
5. Could not find Mbam log. Should it be i the same place as the rkill log?
6. The rkill log is on the other computer. Here is what it has:
Ran as Owner on 03/23/2010 at 15:32:05.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\rkill.com

Rkill completed on 03/23/2010 at 15:32:12.


7. I rebooted in normal mode and ran rkill again after saving the first rkill log. Here is what it has:
Ran as Owner on 03/23/2010 at 16:04:52.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:|Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\rkill.com

Rkill completed on 03/23/2010 at 16:04:59.

#7 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 23 March 2010 - 07:09 PM

loleo,

I have tried this several times. It does not work either.

Now I am concerned that my flash drives are contaminated.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 PM

Posted 23 March 2010 - 10:42 PM

Hello,
First to clean the USB drive.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Let's do this, run SAS
Try MBAM again after this.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 24 March 2010 - 07:02 AM

Boopme,
I downloaded Flash_Disinfector.exe.
When I run it I get a message "Flash_Disinfector.exe has encountered a problem and needs to close. We are sorry for the inconvenience."
It shows up in the Task Manager but, does nothing.

#10 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:55 PM

Posted 24 March 2010 - 07:07 AM

Were you able to run Superantispyware in Safe Mode?

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#11 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 24 March 2010 - 07:41 AM

Techextreme,
I get the same message "SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience."
It shows up in the Task Manager but, does nothing.

#12 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:55 PM

Posted 24 March 2010 - 09:06 AM

We need to run a GMER scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)

    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.

  • When the scan is complete, click Save and save the log onto your desktop.
Post the results of your log in your next reply please.

Edited by techextreme, 24 March 2010 - 09:07 AM.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#13 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:11:55 AM

Posted 25 March 2010 - 01:57 AM

Techextreme,
1. Booted in safe mode as administrater.
2. Was able to run ATF Cleaner.
3. Not able to run SAS. Same message a previous post.
4. Downloaded and ran GMER. The scan finished and locked the computer. I was able to see the last entry and noted it.
Seven entries were highlited in red.
5. Ran GMER again with devices checked. This time I waited untill the last entry, noted above, was entered in the log file,
stoped the scan and saved the log file. It did not finish this time but, I think it is complete. Please let me know if this
is not good enough.


I do not know how to attach a file, so I will cut and paste it. Again please let me know if you need more.

Regards,
Mike

GMER.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-25 00:27:44
Windows 5.1.2600 Service Pack 2
Running: wsz4v9w5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwpyapod.sys


---- System - GMER 1.0.15 ----

Code 83134A88 ZwEnumerateKey
Code 83134A50 ZwFlushInstructionCache
Code 8329A4DE IofCallDriver
Code 8329A796 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbhub \Device\0000009f Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbohci \Device\USBPDO-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbohci \Device\USBPDO-1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbehci \Device\USBPDO-2 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\USBPDO-3 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\000000a0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbhub \Device\000000a1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0010 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0004 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0005 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0012 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0006 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde1Channel0-2 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde0Channel0-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde2Channel0-4 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde1Channel1-3 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde2Channel1-5 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCIIde \Device\Ide\PciIde0Channel1-1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0009 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbohci \Device\USBFDO-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbohci \Device\USBFDO-1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbehci \Device\USBFDO-2 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \FileSystem\Cdfs \Cdfs F68CB400

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\UACnswwuyxv.sys (*** hidden *** ) F6F19000-F6F2C000 (77824 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACmytbaxhi.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [800] 0x00810000
Library \\?\globalroot\systemroot\system32\UACmytbaxhi.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [916] 0x00810000
Library \\?\globalroot\systemroot\system32\UACmytbaxhi.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [952] 0x00810000
Library \\?\globalroot\systemroot\system32\UACmytbaxhi.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1004] 0x00810000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACnswwuyxv.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnswwuyxv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnswwuyxv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACrodapkbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACixuqydbr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqobirjko.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACmlwhkyna.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmytbaxhi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACpqvxfujv.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwvkyfmpf.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACulbirsod.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACkjbmqrrn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnswwuyxv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnswwuyxv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACrodapkbg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACixuqydbr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqobirjko.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACmlwhkyna.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmytbaxhi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACpqvxfujv.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACwvkyfmpf.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACulbirsod.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACkjbmqrrn.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Implemented Categories\{F2BB56D1-DB07-11D1-AA6B-006097DB9539}
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\ProgID@ OWC11.PivotTable.11
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\ToolboxBitmap32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL, 1010
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\TypeLib@ {0002E558-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Verb\1@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Verb\2
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Verb\2@ Commands and &Options...,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{0288B94B-0288-B94B-0288-B94B0288B94B}\VersionIndependentProgID@ OWC11.PivotTable

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temp\UACf45d.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\UACnswwuyxv.sys 65536 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\uacinit.dll 19539 bytes
File C:\WINDOWS\system32\UACixuqydbr.dat 127 bytes
File C:\WINDOWS\system32\UACkjbmqrrn.dll 19968 bytes executable
File C:\WINDOWS\system32\UACmlwhkyna.dll 24576 bytes executable
File C:\WINDOWS\system32\UACmytbaxhi.dll 74240 bytes executable
File C:\WINDOWS\system32\UACpqvxfujv.log 5383 bytes
File C:\WINDOWS\system32\UACqobirjko.dll 27136 bytes executable
File C:\WINDOWS\system32\UACrodapkbg.dll 31232 bytes executable
File C:\WINDOWS\system32\UACulbirsod.log 108 bytes
File C:\WINDOWS\Temp\UAC4405.tmp 81408 bytes executable
File C:\WINDOWS\Temp\UAC4c17.tmp 61440 bytes
File C:\WINDOWS\Temp\UAC8eba.tmp 69632 bytes
File C:\WINDOWS\Temp\UACd22d.tmp 57344 bytes
File C:\WINDOWS\Temp\UACd707.tmp 73728 bytes

---- EOF - GMER 1.0.15 ----

#14 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:55 PM

Posted 25 March 2010 - 08:51 AM

At this point, I think this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the HJT team knows what we have tried.

Please be patient as the HJT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:55 PM

Posted 25 March 2010 - 10:38 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/304887/xp-defender-virus/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users