The version of Windows XP is now legitimate.

Here is the latest MBAM results:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/13/2009 12:55:42 AM
mbam-log-2009-07-13 (00-55-42).txt

Scan type: Quick Scan
Objects scanned: 101839
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\bhonew.bhoapp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bhoapp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Delete on reboot.
c:\documents and settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wingenocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\program files\protection system\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.... i was wondering if there was a way to a)manually install and update file, or b) copy an update version of the program to the infected PC?

So, in 20 minutes you legitimised the installation? I am sorry but I doubt that it can be done in that time.
If you can provide something that can verify this, we can proceed, otherwise this is as far as we can go.

Do you want the CD-KEY I'm a using? I used the built-in windows feature to "resolve" that my OS is not legitimate. paid 49.95 for an "upgrade" download and then rebooted.

I've resolved this issue on my own.

Gerbil,
Thanks for you help in this matter.

Crunchie,
I understand where you are coming from. But you should really trust people more. Firstly, I had no idea that my co-worker was using an invalid version of windows. He simply asked me to help him get rid of this crap on his computer. Secondly, I paid through Microsofts prompt when getting to the login that my OS is not legitimate and that I can Reslove Now, or Resolve Later... WHn i hit resolve now it redirects to me microsoft.com marketplace or something and asks me to buy a xp home upgrade for 49.95... (download is free, cd is additonal 2.99) i just got the upgrade.

"Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.."
I am going to work on that, Nathan. The only site that has them for installation is usually a month out of date, and that is almost useless. Atm it is about 50 releases behind...
Just for my information, did you run that block of file deletions via the cmd window that I gave you earlier? Because i would like to know what broke the back of UAC..., and it did break after that post of mine. After that MBAM was able to detect the rogue files it had been hiding, plus see more of UAC.
That was a comprehensive and growing infection you had. Did you need to do anything else after the last MBAM run you posted?
Nathan, we have to be seen to be doing the right thing by software vendors. But I did notice your action.

Thanks, and I udnerstand when I saw the file show up on the fullscan I promptly uninstalled it. I really did buy windows xp home for my friend.. $50 bucks aint gonna kill me.... im trying to help out a friend because i know he doesnt have much money and cant afford to lose all of his data.. he has some backed up but its not the same since he doesnt have backup images like i do.

And yes I ran the del file statements from CMD prompt it removed about 1/2 , the other 1/2 said file doesnt exist.

I seem to be stuck in an endless loop of reinfections...

I have run MBAM about 10 times over the past 24 hours:

I have just rebooted into Safe Mode (without networking) and opening up GMER now, GMER NO LONGER DETECTS UACd.sys!!!!

running MBAM quickscan:


I have just decided to reformat the PC.

Thanks for all your help.

I think what broke the back of UAC was constant scanning and rescanning with MBAM coupled with GMER and HJT.

"GMER NO LONGER DETECTS UACd.sys" -it won't , in Safe mode, if the rootkit is not active. But nothing stops you in Safe mode from going into system32/drivers and deleting every UAC*.sys file, every UAC*.dll and tmp*.dll or .exe file in system32, cleaning out every tmp and temp directory...
And you could dl and run this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
There is a chance that you would need to rename the combofix exe before running it. It would be nice to clean his sys so that all his files could be saved.

i have tried combofix... it wont run because he is infected with a virus called Virut. i have renamed it many times. I think his hdd is totally dead when i tried using my xp disc it fails to a blue screen saying the computer may have virus however the HDD is totally wiped now

Virut. Ah. You may have already taken the best option, then. A format and reinstall. Note that a format does not remove files, just loses them; the new OS will not see them. And vv.
Cheers, Nathan. Sometimes you do have to just give up.