iexplore.exe virus + others im guessing - Page 2

Paste your logs directly in your reply rather than attaching them. We don't want an infection :).

a quick point while I get time to look at all those. I see this in the MBAM log:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Files Infected:
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> No action taken.

So, do you do THIS?:
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

If you do not, nothing changes....

No I removed them after I saved the log. They all were removed except UACd.sys which gave me a delete on reboot.. I will redo the MBAM logs when i get home tonight.. would you prefer me copying and pasting them in a thread post or attaching them to the thread?

Just for the time being, Nathan, I am going to ignore one of the detections..... I may get spanked for it.
Anyway.... use GMER to delete all these entries [you must run it in Normal Mode]:
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvkbftebfvmevcvttv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACtmuhcepbrnaesbrvv.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\TEMP\141078336mxx.dll

Delete all these files. This should do it in one hit. Paste this as ONE BLOCK into a cmd window at the prompt:

(del /f /a %systemroot%\system32\drivers\UACd.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\UACvkbftebfvmevcvttv.dll
del /f /a %systemroot%\system32\UACtmuhcepbrnaesbrvv.dat
del /f /a C:\WINDOWS\TEMP\141078336mxx.dll
del /f /a C:\Documents and Settings\Chris\reader_s.exe)

Then use hijackthis to fix these entries :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'Default user')

Say how you get on...

When I run GMER (when windows is booted normally) it detects those registry values you asked me to delete but when i right click all the options are greyed out except Options and About at the very bottom.

When i look in REGEDIT manually they do not exist :/

Any suggestions?

So here's where I'm at right now:
Boot into Windows Safe Mode:
Open GMER
Detects ROOTKIT activity (UACd.sys) > rclick and delete.. reboot into Windows (normal mode)

Open GMER
Detects ROOTKIT activity (UACd.sys( > rclick and delete, do not reboot... continue to scan (with Sections and IAT/EAT unchecked)

Cannot delete registry files you mentioned above.

Open MBAM
MBAM detects and removes as follows (some of this is now new):
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/12/2009 10:35:33 PM
mbam-log-2009-07-12 (22-35-33).txt

Scan type: Quick Scan
Objects scanned: 102361
Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ld12.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

On MBAM reboot I got a bluescreen memory dump.

Reboot into Safe Mode,

run GMER, detects UACd.sys, rclick delete --> error path not found
run MBAM, results:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/12/2009 10:58:31 PM
mbam-log-2009-07-12 (22-58-31).txt

Scan type: Quick Scan
Objects scanned: 100675
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACpvvwbspuymflxewxu.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Reboot into windows (normal mode)
3 new icons appears on the desktop
pornotube.com
nudetube.com
youporn.com
also a red circle with white X appeared calling itself security center, and a security center alert appears..

pc froze and had to reboot

rebooted to windows normally and the 3 icons are still there but the "security center" is not... however GMER still detects the UACd.sys... i feel this is the root of the problem and it just wont go away.

>> http://i30.tinypic.com/2zdvebs.jpg

GMER log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-12 23:11:14
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 8AA9B500 pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AB551E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \Fat 8A66D7A0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\NDIS \Device\Ndis [8AA23984] NDIS.sys[.reloc]

---- Threads - GMER 1.0.15 ----

Thread System [4:304] 8972A790

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACxxtjphcjwaldgxjmp.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

rclicked the UACd.sys service hit delete, says it could not be deleted.

ran MBAM, detects:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/12/2009 11:18:44 PM
mbam-log-2009-07-12 (23-18-44).txt

Scan type: Quick Scan
Objects scanned: 102127
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\WINDOWS\system32\UACrrpuwyfendjoqdhht.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACusipewbmqymhvxyxp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACyxbfvsowyyfjwbjec.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Do you think a reformat is needed?

All of the HJT files were deleted.

Trying to remove the items in GMER but dont have the delete option available?

You could not see those values in the Services\UACD keys because a simple trick has been employed to make their values invisible to regedit. But they can be removed easily.
Nathan, as I expected.... there is another problem. Your OS is cracked with a Windows Activation bypass hack, and I am not supposed to help you further until it is removed. I do not know if you are aware of it, but it is there. It may have been there already if you bought the machine with XP preinstalled.
This is the file... I alluded to it earlier: C:\WINDOWS\system32\antiwpa.dll ...it is no big secret, so I have put it in clear for you to deal with.
Sorry, but forum rules are there to protect the forum and its owners. This file, as its name indicates, is Anti Windows Product Activation, and its SOLE use is to pervert that.

I have removed that file from the PC.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/13/2009 12:55:42 AM
mbam-log-2009-07-13 (00-55-42).txt

Scan type: Quick Scan
Objects scanned: 101839
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\bhonew.bhoapp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bhoapp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Delete on reboot.
c:\documents and settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wingenocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\program files\protection system\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Removing the file does not automatically legitimise your Windows installation.
You need to have a legitimate copy of Windows for members here to assist you.

The version of Windows XP is now legitimate.

Here is the latest MBAM results:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/13/2009 12:55:42 AM
mbam-log-2009-07-13 (00-55-42).txt

Scan type: Quick Scan
Objects scanned: 101839
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\bhonew.bhoapp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bhoapp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Delete on reboot.
c:\documents and settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wingenocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\program files\protection system\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.... i was wondering if there was a way to a)manually install and update file, or b) copy an update version of the program to the infected PC?

So, in 20 minutes you legitimised the installation? I am sorry but I doubt that it can be done in that time.
If you can provide something that can verify this, we can proceed, otherwise this is as far as we can go.

Do you want the CD-KEY I'm a using? I used the built-in windows feature to "resolve" that my OS is not legitimate. paid 49.95 for an "upgrade" download and then rebooted.

I've resolved this issue on my own.

Gerbil,
Thanks for you help in this matter.

Crunchie,
I understand where you are coming from. But you should really trust people more. Firstly, I had no idea that my co-worker was using an invalid version of windows. He simply asked me to help him get rid of this crap on his computer. Secondly, I paid through Microsofts prompt when getting to the login that my OS is not legitimate and that I can Reslove Now, or Resolve Later... WHn i hit resolve now it redirects to me microsoft.com marketplace or something and asks me to buy a xp home upgrade for 49.95... (download is free, cd is additonal 2.99) i just got the upgrade.

"Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.."
I am going to work on that, Nathan. The only site that has them for installation is usually a month out of date, and that is almost useless. Atm it is about 50 releases behind...
Just for my information, did you run that block of file deletions via the cmd window that I gave you earlier? Because i would like to know what broke the back of UAC..., and it did break after that post of mine. After that MBAM was able to detect the rogue files it had been hiding, plus see more of UAC.
That was a comprehensive and growing infection you had. Did you need to do anything else after the last MBAM run you posted?
Nathan, we have to be seen to be doing the right thing by software vendors. But I did notice your action.

"Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.."
I am going to work on that, Nathan. The only site that has them for installation is usually a month out of date, and that is almost useless. Atm it is about 50 releases behind...
Just for my information, did you run that block of file deletions via the cmd window that I gave you earlier? Because i would like to know what broke the back of UAC..., and it did break after that post of mine. After that MBAM was able to detect the rogue files it had been hiding, plus see more of UAC.
That was a comprehensive and growing infection you had. Did you need to do anything else after the last MBAM run you posted?
Nathan, we have to be seen to be doing the right thing by software vendors. But I did notice your action.

Thanks, and I udnerstand when I saw the file show up on the fullscan I promptly uninstalled it. I really did buy windows xp home for my friend.. $50 bucks aint gonna kill me.... im trying to help out a friend because i know he doesnt have much money and cant afford to lose all of his data.. he has some backed up but its not the same since he doesnt have backup images like i do.

And yes I ran the del file statements from CMD prompt it removed about 1/2 , the other 1/2 said file doesnt exist.

I seem to be stuck in an endless loop of reinfections...

I have run MBAM about 10 times over the past 24 hours:

I have just rebooted into Safe Mode (without networking) and opening up GMER now, GMER NO LONGER DETECTS UACd.sys!!!!

running MBAM quickscan:

I have just decided to reformat the PC.

Thanks for all your help.

I think what broke the back of UAC was constant scanning and rescanning with MBAM coupled with GMER and HJT.

"GMER NO LONGER DETECTS UACd.sys" -it won't , in Safe mode, if the rootkit is not active. But nothing stops you in Safe mode from going into system32/drivers and deleting every UAC*.sys file, every UAC*.dll and tmp*.dll or .exe file in system32, cleaning out every tmp and temp directory...
And you could dl and run this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
There is a chance that you would need to rename the combofix exe before running it. It would be nice to clean his sys so that all his files could be saved.

i have tried combofix... it wont run because he is infected with a virus called Virut. i have renamed it many times. I think his hdd is totally dead when i tried using my xp disc it fails to a blue screen saying the computer may have virus however the HDD is totally wiped now :(

Virut. Ah. You may have already taken the best option, then. A format and reinstall. Note that a format does not remove files, just loses them; the new OS will not see them. And vv.
Cheers, Nathan. Sometimes you do have to just give up.