ken_nedy Posted July 30, 2009 ID:104220 Share Posted July 30, 2009 Thanks to anyone who can help!! It started when I clicked on a baloon in my toolbar stating the computer was severly infected with a rootkit and need to be removed. I clicked it and it asked me if I wanted to removed I said yes, and it was on from there...stupid. Now the computer freezes, windows does not load properly, yahoo mail has red blocks around the text and goggle/yahoo search redirects. These are probably small compaired to the amout of personal info that has been removed from my PC. I ahve changed all of my passwords from another computer. After this is fixed I assume i will need to reformat my drive . Also, the prgrams idenitfy the viruses and state they will be removed upon reboot, however windows freezes up on the restart and the infected files are not removed. Here are all of the logs I have ran: 1. Malwarebytes with a screenshot of the quarantine 2. HiJack 3. Super AnitSpyware 4. Dr. Cureit 5. Screenshot of Yahoo Malwarebytes Scan type: Quick Scan Objects scanned: 101752 Time elapsed: 4 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot. HiJackLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:24:27 PM, on 7/29/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Verizon\Verizon Internet Security Suite\rps.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\Verizon\McciTrayApp.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exeC:\Program Files\Verizon\VSP\VerizonServicepoint.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\13d4e4f0-0a58-41b7-98f0-8a46a51a015a.exeC:\My Backup -- 06-11-23 0153PM\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exeC:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaAgent.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exeC:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaMonitor.exeC:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exeC:\Program Files\Microsoft Office\Office10\EXCEL.EXEC:\Program Files\Malwarebyte' Anti-Malware\mbam.exe.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Internet Explorer\Iexplore.exeC:\Program Files\Internet Explorer\Iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg201.mail.yahoo.com/dc/launch?....d=3tv55fmn7dmfhR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comO2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exeO4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeO4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAYO4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exeO4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUNO4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebyte' Anti-Malware\mbam.exe.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\13d4e4f0-0a58-41b7-98f0-8a46a51a015a.exeO4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')O4 - Global Startup: WinZip Quick Pick.lnk = C:\My Backup -- 06-11-23 0153PM\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CABO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cabO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/voip/downloads/IOBIVMUtil.CABO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CABO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Intel Link to post Share on other sites More sharing options...
Kenny94 Posted August 3, 2009 ID:105635 Share Posted August 3, 2009 Hi ken_nedy and Welcome to Malwarebytes! Sorry for the delay.Download RootRepeal:http://rootrepeal.googlepages.com/RootRepeal.zipExtract the archive to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).Click the "File" tab (located at the bottom of the RootRepeal screen)Click the "Scan" buttonIn the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:Click OK and the file scan will beginWhen the scan is done, there will be files listed, but most if not all of them will be legitimateClick the "Save Report" ButtonSave the log file to your Documents folderPost the content of the RootRepeal file scan log in your next reply. Link to post Share on other sites More sharing options...
ken_nedy Posted August 7, 2009 Author ID:107142 Share Posted August 7, 2009 KennySorry for the delay in getting back to you...I was out of town on travel. I have downloaded rootrepeal and removed a UAC.sys file and then ran malewarebytes and killed the other files. I followed the instructions listed on this link:http://www.malwarebytes.org/forums/index.php?showtopic=12709I am going to attach a post I made on Bleepingcomputer that contain an update with DDS logs. I will run root repeal tonight and post the log. Thank you for assisting me!New MemberGroup: MembersPosts: 6Joined: 23-July 09Member No.: 356,399I think I have removed the virus using the following link:http://www.malwarebytes.org/forums/index.php?showtopic=12709I used root repeal to remove a UAC.sys file and then ran malewarebytes and AVG to remove the additional threats. My computer seems to be running fine now, but would appreciate a check by you and determine if I have removed everything or if I need to take additional steps. Thanks for the help!DDS (Ver_09-07-30.01) - NTFSx86 Run by Owner at 21:26:31.09 on Mon 08/03/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2212 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSsvchost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaAgent.exeC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Intel Audio Studio\IntelAudioStudio.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXEC:\Program Files\Intel\IntelDH\IntelBleeping_Computer.txtAttach.txtBleeping_Computer.txtAttach.txt Link to post Share on other sites More sharing options...
Kenny94 Posted August 7, 2009 ID:107181 Share Posted August 7, 2009 Hi ken_nedyYou are receiving help at@http://www.bleepingcomputer.com/forums/lof...hp/t244002.htmlfrom pwgib. Your in good hands. Link to post Share on other sites More sharing options...
ken_nedy Posted August 8, 2009 Author ID:107327 Share Posted August 8, 2009 Thanks! Link to post Share on other sites More sharing options...
Kenny94 Posted August 8, 2009 ID:107517 Share Posted August 8, 2009 Your Welcome ken_nedy..... Link to post Share on other sites More sharing options...
Recommended Posts