0

Hi, Im new here and really really in need of help

This morning, my computer got a virus, I have tried all sorts to fix it, heres what is going on

-In task manager, without opening internet explorer, it is already sitting in the processes, if I kill it, it reopens about 5-7mins later

- I have run a scan with AVG, in normal mode it says it fine, in safe mode it pics up 2 viruses and gets rid of them, yet if i scan again they are still there

- i have run adaware, and nothing shows

- i have tried to run Spybot SD, but it wont load

- I have tried to run Malware Anti-malbytes, and that wont load

- I have tried to run Hijack This and that also wont load

- I have tried Housecall, and that wont work in either safe mode with networking or in normal mode

all 3 of the above programmes i have tried in both safe mode and in normal mode

I also tried a system restore, and it wont let me do that via safe mode, or normal

I have also tried combo fix, and that wont start, same as other programmes
and have used the ATF cleaner

added to that I have run the microsft malicious tool via windows live

any ideas on what i can do, its doing my head in!!!!
and I should mention that with the programmes that wont load, they were working fine last week when i ran a scan

Thanks so much
Claire

4
Contributors
49
Replies
50
Views
8 Years
Discussion Span
Last Post by gerbil
Featured Replies
  • 1

    Just for the time being, Nathan, I am going to ignore one of the detections..... I may get spanked for it. Anyway.... use GMER to delete all these entries [you must run it in Normal Mode]: Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1 Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1 Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys Reg … Read More

  • 1

    Virut. Ah. You may have already taken the best option, then. A format and reinstall. Note that a format does not remove files, just loses them; the new OS will not see them. And vv. Cheers, Nathan. Sometimes you do have to just give up. Read More

0

Hello, Claire... go into Safe Mode, kill the iexplore.exe if it is running, rename MBAM.exe to MAMBO.exe, see if it will run as that. Rename hijackthis.exe also, try to run it.
If you cannot run those, then perhaps a check for rootkits is called for...
Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs including those in the system tray (bottom righthand corner ).
-dclick Gmer.exe to start it; uncheck Sections, IAT/EAT, use remaning default settings [ensure your system drive (C: ?) is the only drive checked] just click the Scan button and wait for the scan to finish (do not use your computer during the scan).
-click on the Copy button - this will copy the results to the clipboard. Open Notepad and paste into it.
The result - please zip it and post as an attachment via Go Advanced.

0

thanks so much for that!!!
I got Malabytes going and it piciked up as per below, also ran Hijack This and Gmer, Gmer said there was a problem with the rootkit.

Also....in my panic before you replied yesterday, i did something stupid, i think it was under System Tools - Process Explorer, I clicked on the iexplore.exe and took the permissions off it, thinking that if i disabled til you guys came to the rescue it wouldnt do more damage, well I did more damage, now i have pretty much no admin rights, and i cant connect to to the internet, tells me i have limited connectivity, so I tried uninstalling IE7 and reinstalling and that didnt work, so &*(&^ knows what I have done.
Hopefully the logs will tell you something as they were done after I made the changes.

Thanks so much for your help, below are the logs

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

5/26/2009 11:25:46 PM
mbam-log-2009-05-26 (23-25-46).txt

Scan type: Quick Scan
Objects scanned: 77477
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:25 PM, on 5/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {78875F5C-A685-4405-8DC5-D48DC65452B0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Registry Repair Wizard Scheduler] "C:\Program Files\SmartPCTools\Registry Repair Wizard\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--

0

Hello, claire.
Yep, as i suspected there was a rootkitinvolved in preventing MBAM and hijackthis from running. It will be simple enough to fix. But first, the GMER log also shows its source... you must get rid of the crack/keygen shown in the log before I can help you further. I don't like to be a boor, but it is site policy -we cannot be seen to be assisting people to circumvent copyright/ownership of software.
So do that.. come back clean and i can help. Anyway, with the source of the rootkit still active and present on your sys it would just reinfect you.
And I'm on a couple of days off atm.
By the way, I imagine the iexplore.exe you see running and restarting all the time is actually the real and uncorrupted M$ version of Internet Explorer [that is its .exe], it is just that the malware files hidden by the rootkit are using it to go out onto the web. So give it back its permissions.

0

Hi, Sorry about that, I think thats where all my problems lie, I didnt know limewire, or cracks were on my computer, thanks to my brother in law for that, he mustve downloaded stuff, uninstalled limewire but left the files still sitting there....arrrrrrgh
Hes now banned from touching my PC

Ive deleted what i have found, all i can see was the fireworks files??? Let me know if I have left any out

In regards to iexplore, it wont let me reset the permissions, any ideas on what i can do?

Ive attached the new gmer file for you, thanks so much
Claire

0

sorry I didnt just edit this, i couldnt see where i was to do it.

I have just scanned with mbam again in safemode, and its come up with 2 more, just adding in, as was thinking these were the ones that you said would just keep reinfecting???

Also, I seemed to have managed to reset my iexplore permissions, but my firewall and internet connection no longer work, would I be right in guessing that what ever is in the dark depths of my computer is responsible for this??? As it seems to try and reconnect on its own to the net after i have disabled it.
Also if i go to shut down the computer, it just restarts itself

just incase any of this info is anymore helpful to you :)
Cheers again

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

5/28/2009 10:37:55 PM
mbam-log-2009-05-28 (22-37-55).txt

Scan type: Quick Scan
Objects scanned: 77733
Time elapsed: 1 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

0

Hello, Claire... gee, but days off go quickly....
Who needs inlaws, really? They come around, drink all your beer, get crisps crumbs under the sofa cushions.... and the blokes are even worse.
Right, we must kill the driver of that rootkit; this is it: C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys
In Normal Mode, start Gmer; after the preliminary scan reject the full scan. Select the Rootkit/Malware tab and uncheck all but Services.
Scan and then highlight that driver C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys
Rclick and choose Delete Service, agree.
Reboot and rerun Gmer as above, delete any other services [ie, .sys files] identified as a rootkit. Reboot.
Good. Now Update and run MBAM -it should be able to identify and clean the unprotected malware files now:
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

0

Re the iexplore.exe permissions, you wrote "i think it was under System Tools - Process Explorer". Sorry? Process Explorer is a pgm from Winternals [sysinternals]. I really need to know the registry key you took the permissions from.
Was it this one - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer]? All I know about permissions is that you navigate to the particular key in registry [run regedit.exe], rclick it, choose Permissions, and uncheck any Deny boxes [Deny overrides Allow].
Hope that helps.

0

you are dead right, thats about all they are good for!!!
and time off always goes way to fast!!

now, I ran mbam twice, and will attach both logs, first time i ran, I was able to update seen I couldnt get onto the net, but after deleting and rebooting, next time round i was able too, so updated, ran again and it picked up something else...in the second log i will post, then ran for a third time after deleting and rebooting, and came up with the all clear :)

Let me know if im all good to go now, and thankyou so much for your help, you have been a lifesaver!

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/30/2009 12:55:43 PM
mbam-log-2009-05-30 (12-55-43).txt

Scan type: Quick Scan
Objects scanned: 92243
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\WinPC Antivirus (Rogue.WinPCAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACcngaadqsqdbtkpi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACipfvnfkawyruswp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UAClmcnelfykodaiod.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACqtbmjrbrhevysaa.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACsadfmblacclvboa.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\UAC4805.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

2nd log
Malwarebytes' Anti-Malware 1.37
Database version: 2193
Windows 5.1.2600 Service Pack 3

5/30/2009 1:03:16 PM
mbam-log-2009-05-30 (13-03-16).txt

Scan type: Quick Scan
Objects scanned: 92881
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\application data\BITDD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

0

and again
ran Spybot and it picked these up, have attached in a word file

Sorry for the paranoia and the continual scanning ;)
Will stop now til i hear from you :)
just thought i better keep you posted incase something wasnt showing or its still reinfecting
I ran Gmer again and it came up clean

Attachments
0

Hello, Claire, I take it that Gmer successfully killed that driver, C:\WINDOWS\system32\drivers\UACfkilrnjhdrdagis.sys?
These files seem to have been missed, pretty harmless on their own, but you may as well clean up. Delete them manually. Are there any other system32\UAC*.* files?

C:\WINDOWS\system32\UACmuoeronpqfuaikt.dat
C:\WINDOWS\system32\UACuvogtblhqghkhtt.log
C:\WINDOWS\system32\UACghcwpnnatbjtxvv.log
C:\WINDOWS\system32\UACpxwwsboyebokuvf.log
mm.. I see that a couple of them were caught by Spybot.
Now clean with this feller... it's neat to keep:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
And off you go.
Cheers.

0

okies, i ran cc cleaner
I couldnt find the last 2 you listed though. there doesnt seem to be any UAC files in that directory, and i searched whole computer for them, the first 2 I found under spybots directory, so I left them there.
C:\WINDOWS\system32\UACghcwpnnatbjtxvv.log
C:\WINDOWS\system32\UACpxwwsboyebokuvf.log

I have attached another word file, as this Win32 Cryptor keeps popping up, its popped up 5 times today, and each time i get rid of it via AVG,
mbam and Spybot havnt picked up on it
Now each time the last digit of the file name is different, the rest is the same, the first started at 1, and then the last as in the one I have attached here, is a 5

Any ideas?

Attachments
0

Interesting behaviour by AVG.... let's clear your System Restore Points [that is where it is hiding, but it cannot do anything unless you use an infected restore point..]
System Restore Points Clearance:
== you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
Now see if AVG finds any more of them.
You may remove those two UAC...log files from spybot's quarantine.

0

okies, done that now....the system restore points, and this time cant find any of those UAC files to remove at all

however after a scan with spybot i came up with the Win 32 cryptor virus, which i had that remove, and then I scanned with Adaware and came up with the VacFix.exe virus which that removed

0

That is okay, claire. Vacfix.exe is a part of Smitfraudfix, which I think you have? You can delete it [SMF] when you have finished with it.
I don't have a very high opinion of Adaware right now...
Where did Spybot find the Win 32 cryptor trace, and what file name was it, please?

0

hiya, sorry i hadnt replied, for some reason I never got the notification that you had replied, and i was just on here checking incase

okies, I cant find the spybot one, it seems to have disappeared from recovery???
I downloaded Avast last night and ran that too, didnt pick up on anything
That Win32 hasnt been doing its usual popup like it was the other day, and scans havnt picked up on anything, but im still a bit worried that its lurking away somewhere as my computer is still running a bit terrible !!!!

0

"I downloaded Avast last night and ran that too,"... if it was the antivirus service, I do hope you uninstalled AVG8 first. Please do not try to run more than one AV service; non-installing scanners are okay to combine... eg online scans. Or your sys will be unpredictably cranky.
I used AVG8 for a while, decided there must be better out there and switched to Avast. things seem better, but I cannot quantify that.
Most trojans like to call out, otherewise their is not much point to them [most are written as income earning exercises, paid by advertising, ppl being fooled into paying for rubbish sware] and a good firewall will trap that behaviour. Comodo [you can install only the firewall by choice, not the whole AV/AS/FW package] but it is a very busy thing, drives some folks nuts with its checking/querying - you gotta LIKE being asked things... Kerio... maybe ZoneAlarm.. maybe. Comodo is THE best.
If a virus lifts a finger, your AV should warn you. It aint, so it's not.
Be cool.

0

Look. I can spell. Perfectly. It's just my fingers that get confused. I dunno how that works.

0

haha yeah my fingers have that problem too!!! sometimes they have issues with spelling ;)

surely did uninstall AVG 8, and like you was happy with it, but had heard so many people rave about avast that i thought i should try that instead, the only thing im unsure on, is that it doesnt schedule regular scans, am guessing though that cos its active all the time that will pick up on things.

Had issues uninstalling avg8, was getting all snarky with me about a registry key and wouldnt uninstall, so had to run the AVG uninstaller whodakky off their website, and me being paranoid ran a few bootscans with avast and it was all good and i seem to be in the clear ??

Sooooo, the windows firewall isnt great then??? will go have a look at the others you suggested, will see how long it takes for Comodo to piss me off haha, Vista on the laptop annoys the crap outta me asking me ever 20seconds if its ok to do something ;)

0

My fingers... I write with a pen and there is absolutely NO confusion with their and there. I type, and it's a 50-50 chance it gets set down correctly. How can that be? Does typing use a different part of the brain, or what? Course, some of my fingers are speed freaks an hit he keys outa turn, and that doesn't help.
AVG fights to the end.. yep.
Most AV's [all?] interactively scan files as they are opened for use, so you will get a notice, and the file will be frozen until you reply. Avast works like that. I don't do regular scanning at all now.
Windows FW for XP only checks incoming streams... basically if something was not requested then it is ignored, not even acknowledged. If it wants to get out, no interference from the FW, and that is a big weakspot. Vista's FW is different, but it appears to not learn, so it is a pest. Comodo will learn if you use it correctly. And it can wee people off in half an hour... you gotta appreciate what it is doing for you, learn about it and accept that you must use it as a tool.
Good luck wiv it.

0

cheers for that! will definatley give it a go!!!
Thanks soooo much for all your help, youve been a legend :)

i dont think its your fingers, i just think that the keyboard keys move places on their own, thats my theory and im sticking to it haha

0

You're very welcome, Claire.
Cheers.

I am having the same issue that Claire was having. I am trying to follow the thread for this but it's all over the place and very confusing. Could you consolidate the steps that need to be done to remove this nasty rootkit and malware?

Thanks,
Nathan

0

What, me do it instead of you? I do tend to be chatty in my posts, but that is because I am human, and like to relate to some folks. Just some... we pick each other out...
Anyway, Nathan, I cannot do a generic solution for you... solutions evolve as we see what is coming up. Best start with this [and rename mbam.exe and hijackthis.exe if they will not run initially, to mybam.exe and hoistthis.exe]:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
Then...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

0

I have been using MBAM for years... I have a purchased copy.. it removes everything except system32\uacinit.dll, it always removes on delete.. i reboot and its there the next time i scan... i am unable to get to malwareytes.org to update the database of known malware... i can access fine on the pc im using now but the one next to me (infected) cannot get to it. ive used GMER to kill that UACd.sys file.. and have rebooted... still doesnt work... originall i couldnt install mbam because of the name so i had renamed it myself before looking at forums... usually mbam does the trick right away... but this is my first experience with a rootkit and its down right nasty!

0

I am currently running the GMER program.. i have run this thing like 10 times but it never finishes... do you know how long it usually takes?

0

GMER takes 1 1/2 mins to scan my systemdrive. But windows is there all by itself, no data, no pgms other than those that fight to be there; the partition is tightly controlled... so... Anyway, uncheck the Sections and IAT/EAT boxes for the scan, make sure only your systemdrive is included in the drives choice..
UAC*.sys is a rootkit driver, but having said that, there is no reason why it should not also be protecting files that regenerate it, apart from the files that do its business. Could you post a MBAM scan run in Safe mode? Likely the rootkit will not be active there.

0

Hehe.. my system is tightly controlled too.. i havent had an infection on my computer in 10 years.. i'm just very careful by nature... and have been working with computers for a long time.. im actually working on trying to fix my coworkers computer.

Anyways, I have unchecked the Sections and IAT/EAT boxes in GMER. I have also attached the log for a full scan of MBAM and for HIJACK this. When I load GMER it shows the rootkit UAC*.sys but when I right click to delete the service it says it could not find the file. MBAM has detected multiple items over the last few days, however the most recent quick scan detected nothing which is why i ran the full scan.

Attachments
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.