Jump to content

also cannot remove uacinit.dll


Recommended Posts

Hi, I also cannot remove uacinit.dll. Please help if possible. Thanks in advance and apologies if I made any rookie mistakes.

I have run mbam several times and am left with this log:

Malwarebytes' Anti-Malware 1.34

Database version: 1815

Windows 5.1.2600 Service Pack 3

3/4/2009 12:31:52 AM

mbam-log-2009-03-04 (00-31-52).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 262614

Time elapsed: 44 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

*****

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:31:11 AM, on 3/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\1mb_am.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Documents%20and%20Settings/Owner/My%20Documents/Random/links.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\1mb_am.exe" /runcleanupscript

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\cheryl\Application Data\Macromedia\Common\4c02c01e1.dll""

O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\cheryl\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\cheryl\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SrvMod.lnk = C:\WINDOWS\twain_32\L12U16U2\SrvMod.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS2\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS3\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 6900 bytes

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi cyrracq and welcome to the Malwarebytes Forum ;)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.

  • The fixes are specific to your problem and should only be used for this issue on this machine!.

  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.

  • If you don't know, stop and ask! Don't keep going on.

  • Please reply to this thread. Do not start a new topic.

  • Refrain from running self fixes as this will hinder the malware removal process.

  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Next:

I have a few questions for your good self before we proceed any further:

From the HijackThis log posted I see you are running your computer in Safe mode with network support. Is your computer unable to boot up into Normal mode and or function in the aforementioned ?

Have you renamed the executable file for Malwarebytes' Anti-Malware yourself ? Currently it is showing as:

C:\Program Files\Malwarebytes' Anti-Malware\1mb_am.exe

Link to post
Share on other sites

Hi Dakeyras, thanks for helping me with my problem.

My computer will boot up into Normal mode. However, it frequently gave me the blue screen crash after a few minutes (not necessarily instantaneously) before I was able to complete anything. The few times without a crash, I was unable to run the software.

I did rename the executable file. I tried many times unsuccessfully to run the software: after double-click or right-click -> open, my mouse cursor would become the hourglass for a few seconds before returning to normal, without any trace of the software. I found the suggestion to rename the executables, and this only seemed to work after a subsequent reboot.

Hope that gives you the information you seek!

Link to post
Share on other sites

Hi ;)

Hi Dakeyras, thanks for helping me with my problem.

You're welcome!

OK please try the following in Normal mode and lets see if we can get the results I wish. One or more of the infections identified is Smitfraud variant and most likely the cause of the present unstable condition of your computer in normal mode.

Next:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Alternate download locations:

From GeekstoGo

From Security Cadets

From Zebulon

  • Double click on SmitfraudFix.exe.
  • Press 1 then hit the Enter key.
  • It will create a report named rapport.txt, usually at C drive.
  • Please post back this log in your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Read more here

Next:

I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Run HiJackThis and click on Open the Misc Tools section

  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

When completed the above, please post back the following in the order asked for:

  • Any problems encountered ?
  • Rapport.txt.
  • Uninstall List.
  • A new HijackThis Log in Normal mode.
Link to post
Share on other sites

Hi again.

I cannot run SmitfraudFix. I listed below what happened. I then ran HijackThis as requested, in case that information is useful without the rapport.txt file.

1. Turned computer on, allowed Windows to boot normally.

2. Error pop-up (before Windows is fully loaded; no taskbar, icons, etc.):

"Windows cannot find C:\ Program. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

-- Clicked "OK"

3. Windows appeared to finish loading.

4. Error pop up:

"To help protect your computer, Windows has closed this program.

Name: WMI

Publisher: Microsoft Corporation"

-- Clicked "Close Message"

5. Many "Please tell Microsoft about this problem" pop-ups.

-- Clicked "Don't Send" (for error report) each time

6. Repeated 4 & 5 with slightly different wording.

7. After a few cycles, this error stopped happening. Downloaded exe through Firefox.

8. Double-clicked the exe and get pop-up:

"SmitfraudFix.exe has encountered a problem and needs to close. We are sorry for the inconvenience." etc.

-- Clicked "Don't Send" and tried a few more times with same results.

9. Moved file to C:\ and tried again, with same results.

----

uninstall_list:

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player Plugin

Adobe Help Center 1.0

Adobe Photoshop CS2

Adobe Reader 7.0.9

Adobe Stock Photos 1.0

ATI Display Driver

Azureus Vuze

Chinese (Traditional) Language Support

DeepBurner v1.8.0.224

DivX Codec

DivX Player

HijackThis 2.0.2

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

IrfanView (remove only)

Java 6 Update 2

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

LeechFTP

LG USB Drivers

LiveReg (Symantec Corporation)

LiveUpdate 2.6 (Symantec Corporation)

Macromedia Flash Player 8

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 3.0 Service Pack 1

Microsoft .NET Framework 3.5

Microsoft .NET Framework 3.5

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Office XP Professional with FrontPage

Microsoft User-Mode Driver Framework Feature Pack 1.0

Mozilla Firefox (3.0.6)

MSN Music Assistant

MSXML 6.0 Parser (KB933579)

Nero Media Player

NeroVision Express 2

NJStar Chinese Word Processor

Norton SystemWorks 2002

Norton WMI Update

NVIDIA Windows 2000/XP Display Drivers

Presto! PageManager

QuickTime

RealPlayer

Realtek AC'97 Audio

Revo Uninstaller 1.80

SE A3 USB 1200 Pro v1.0

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB960715)

Soft Data Fax Modem with SmartCP

SyncToy

Trillian

TurboTax Deluxe Deduction Maximizer 2006

TurboTax ItsDeductible 2006

Twins video to iPod-Zune-PSP-3GP 1.0

Ulead VideoStudio 7 SE DVD

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

VistaScan

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WexTech AnswerWorks

Windows Genuine Advantage v1.3.0254.0

Windows Imaging Component

Windows Media Encoder 9 Series

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Service Pack 3

WinRAR

XviD MPEG-4 Video Codec

----

new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:53:41 PM, on 3/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\twain_32\L12U16U2\SrvMod.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Documents%20and%20Settings/Owner/My%20Documents/Random/links.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\cheryl\Application Data\Macromedia\Common\4c02c01e1.dll""

O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\4c02c01e1.dll"" (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: SrvMod.lnk = C:\WINDOWS\twain_32\L12U16U2\SrvMod.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS1\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS2\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O17 - HKLM\System\CS3\Services\Tcpip\..\{1C087A00-4342-44A6-AC37-95C0C68DE080}: NameServer = 206.141.193.55,66.73.20.40

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 7238 bytes

Link to post
Share on other sites

Hi :)

OK thank you for the detailed information, I always appreciate it!

Next:

Now I will be asking you to boot into Safe Mode for the next part of the fix. It may prove beneficial if you print of the following instructions or save them to notepad as you will not have Internet access whilst in the aforementioned safe mode.

How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.

In safe mode carry out the following:

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Extra note: If ComboFix will not run rename the executable file to Dakeyras.exe

When completed the above, please post back the following(use more than one post if the need)in the order asked for:

  • How is you computer performing now, any other symptoms and or problems encountered?
  • Rapport.txt
  • ComboFix Log.
  • A new HijackThis Log.
Link to post
Share on other sites

Hi again.

Unfortunately, I'm stuck at the same place I was before -- I booted into Safe Mode, double-clicked on the SmitfraudFix.exe, and received the same error message ("SmitfraudFix.exe has encountered a problem and needs to close. We are sorry for the inconvenience." etc).

I didn't download/run ComboFix since it seemed like I needed to have the clean first, but let me know if I should run ComboFix even if SmitfraudFix didn't work.

In case it's helpful, I copied the text file that would be sent to Microsoft through the error. I don't have any of the requested logs.

Thanks!

cyrracq

-----

file name: d7ab_appcompat.txt

file contents:

<?xml version="1.0" encoding="UTF-16"?>

<DATABASE>

<EXE NAME="SmitfraudFix.exe" FILTER="GRABMI_FILTER_PRIVACY">

<MATCHING_FILE NAME="HJT-Install.exe" SIZE="812344" CHECKSUM="0x500A3516" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="2.00.2" FILE_DESCRIPTION="HijackThis" COMPANY_NAME="Trend Micro Inc." PRODUCT_NAME="HijackThis" FILE_VERSION="2.00.2" ORIGINAL_FILENAME="HJTInstall.exe" INTERNAL_NAME="HJTInstall.exe" LEGAL_COPYRIGHT="© TrendMirco Inc. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xD44EE" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="06/07/2007 17:00:02" UPTO_LINK_DATE="06/07/2007 17:00:02" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="SmitfraudFix.exe" SIZE="1662721" CHECKSUM="0xC9166047" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="09/20/2007 12:34:46" UPTO_LINK_DATE="09/20/2007 12:34:46" />

<MATCHING_FILE NAME="Download\Azureus_2.5.0.0_Win32.setup.exe" SIZE="8799656" CHECKSUM="0x4BA5AB81" MODULE_TYPE="WIN32" PE_CHECKSUM="0x86F653" LINKER_VERSION="0x0" LINK_DATE="08/06/2006 20:09:31" UPTO_LINK_DATE="08/06/2006 20:09:31" />

<MATCHING_FILE NAME="Download\bitpim-0.9.10-setup.exe" SIZE="9826960" CHECKSUM="0x24B5BAD4" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="BitPim Setup " COMPANY_NAME="Roger Binns <rogerb@rogerbinns.com> " FILE_VERSION=" " LEGAL_COPYRIGHT="Copyright © 2003-2006 The BitPim developers " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />

<MATCHING_FILE NAME="Download\DeepBurner1.exe" SIZE="2863832" CHECKSUM="0xB99E273B" MODULE_TYPE="WIN32" PE_CHECKSUM="0x2C4808" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />

<MATCHING_FILE NAME="Download\IE7-WindowsXP-x86-enu.exe" SIZE="15452536" CHECKSUM="0x7EC64198" BIN_FILE_VERSION="6.2.29.0" BIN_PRODUCT_VERSION="6.2.29.0" PRODUCT_VERSION="6.2.0029.0" FILE_DESCRIPTION="Self-Extracting Cabinet" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft

Link to post
Share on other sites

Apologies for the multiple posts. I didn't see the option to edit/delete previous posts.

It occurred to me after my last post that I hadn't tried renaming the SmitfraudFix.exe. I changed the name to Smitfraud-Fix.exe (in safe mode) and it ran! It prompted me about registry cleaning, but I did NOT see this flash up on the screen (I don't know if it happens in the background):

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

When it returned to the main screen, I exited and rebooted into normal mode. I downloaded ComboFix, disabled Norton Anti-Virus (the firewall apps didn't sound familiar, so I don't believe I have one), and double-clicked ComboFix to open. Neither ComboFix nor the renamed exe worked the first few times I tried it. I opened another app to see if it would work, closed it, and tried the renamed ComboFix app again, and it ran. Unforunately, I have a different (older) version of Norton -- I right-clicked to "Disable" prior to running ComboFix (no option to set time), but it still flagged some items that I manually allowed.

I got an info pop-up:

Rootkit!!

ComboFix has detected the presense of rootkit activit and needs ot reboot the machine.

Kindly note down on paper, the name of each file. We may need it later.

C:\WINDOWS\system32\drivers\TDSSserv.sys

C:\WINDOWS\system32\drivers\UACqpxevdnr.sys

C:\WINDOWS\system32\UACsiqlrbbo.ddl

C:\WINDOWS\system32\UACbcvbrsun.dat

C:\WINDOWS\system32\UACswwykrih.dll

C:\WINDOWS\system32\UAClxfqqbnh.dll

C:\WINDOWS\system32\UACxpowgjnv.dll

C:\WINDOWS\system32\UACspuccmvx.log

C:\WINDOWS\system32\UACmjgwqsew.log

C:\WINDOWS\system32\UACharubrfo.log

-- Clicked "OK" (reboot computer)

ComboFix continued to run on reboot.

It then rebooted again (Norton turned on again).

Here are the requested files.

----

rapport.txt

SmitFraudFix v2.399

Scan done at 8:31:16.57, Thu 03/05/2009

Run from C:\Documents and Settings\cheryl\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is

Fix run in safe mode

Link to post
Share on other sites

Hi B)

I would have preferred once a complication arose you just informed myself and awaited my next advised course of action. Please in future adhere to this, however no harm done this time. So basically I mean no more self fixes OK! :)

P2P Advice:

Presently you have the following installed:

Azureus Vuze

Since this forum has no policy regarding the aforementioned I can not ask you to uninstall this, however please refrain from using this application during the malware removal process. As undoubtedly this is a likely source for your current malware problems.

Peer to Peer software may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Next:

OK since we are dealing with a RootKit(s) infection I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

Basically this allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords. In fact it most likely will never be secure again.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

Link to post
Share on other sites

Hi again,

Thanks for all your help (and sorry for going off-script).

I had already changed all my banking passwords using another computer on the same network. Is this sufficient? The (other) computer itself is clean, but I don't know if a network can be infected.

I will probably reformat and reinstall, assuming I can find my Windows CD. I have a lot of data on my infected computer; how do I prevent the infection from being transported with that data (and back to the reformatted/reinstalled computer)? I'd hate to go through the reformat and reinstall, only to put the problem back on the computer. I plan to copy the data files to an external HD prior to reformatting, and then copy the files back to the computer post reformatting. Also, will a reformat guarantee a secure computer; can the infection hide somehow?

Thanks again,

cyrracq

Link to post
Share on other sites

Hi :)

Thanks for all your help (and sorry for going off-script).

You're welcome! As I mentioned no harm done but if your ever require assistance again in the future it is always advisable to stick to what instructed and if any problems just inform your helper and await a reply.

I had already changed all my banking passwords using another computer on the same network. Is this sufficient? The (other) computer itself is clean, but I don't know if a network can be infected.

There is no indication your network has been compromised. However there is no way to tell whether the other computer have been affected until it has been scanned. If the other computer on the network does have file sharing enabled, it likely to have been compromised also.

It would be prudent to update then run a full scan with whatever Anti-Virus software is installed. Also download and install/update/run a full scan with Malwarebytes' Anti-Malware on your other computer. Also being honest I would seriously consider a reformat/reinstallation if file sharing is enabled.

I will probably reformat and reinstall, assuming I can find my Windows CD. I have a lot of data on my infected computer; how do I prevent the infection from being transported with that data (and back to the reformatted/reinstalled computer)? I'd hate to go through the reformat and reinstall, only to put the problem back on the computer. I plan to copy the data files to an external HD prior to reformatting, and then copy the files back to the computer post reformatting. Also, will a reformat guarantee a secure computer; can the infection hide somehow?

Personally I applaud your common sense regarding this situation. Being totally honest if this was one of my computers I would no doubt be feeling the exasperation you are currently experiencing but would not hesitate to carry out a reformat/reinstallation.

Especially since both my wife and I use online-banking this is even more so a prudent course of action.

OK there is no way to ever tell how much data has been compromised, once a machine has been infected with a rootkit I'm afraid. Now as far as I am aware this type of infection that invaded your machine, is not capable of surviving the reformat/reinstallation process with master boot record infection characteristics.

Reformat & Reinstall Advice:

Since you decided to do a clean install read the information below.

Please make sure that you know what to do before beginning the operation.

Here are a few links that probably help.

You can Print all these information, so you have them handy.

When should I re-format? How should I reinstall?

Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which i recommend to use:

    [*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    Here are some free Firewalls which i recommend to use:

    (Use only one, and disable your Windows Firewall)

[*]Keep your system updated-Microsoft releases patches for Windows and other products regularly:

[*]Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

    [*]Next press the Apply button and then the OK to exit the Internet Properties page.

[*]Malwarebytes' Anti-Malware - Download it from here

The tutorial on how to MBAM is located here

[*]Install WinPatrol - Download it from here

You can find information about how WinPatrol works here

[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Download it from here

The tutorial on how to use Spyware Blaster is located here

[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good Luck! B) If any questions do not hesitate to ask.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.