Jump to content

uacinit.dll & blue screen problem - Please help


Recommended Posts

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Hi jrukgh And Welcome to Malwarebytes!

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Link to post
Share on other sites

Hello Kenny94 and thank you very much indeed for responding - it's really appreciated.

When I try to run RootRepeal I get a message saying 'Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.'

I increased the setting it suggested, but it doesn't appear to make any difference - I still get the same message.

Regards,

John.

Link to post
Share on other sites

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not user I'm helping and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Have infinite patience while any of these are running (especially with Combofix below)

Do NOT do any websurfing; nor play online games.

Only go to websites I guide you to and to this forum.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • RIGHT click on Combo-Fix.exe and select Run as Administrator & follow the prompts.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Next, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2510 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

& the new (latest) MBAM scan log

& tell me, How is your system now ?

Link to post
Share on other sites

Hi again,

I've run the ATF cleaner OK, downloaded ComboFix and diabled anti-virus and firewall. Since I started Combo-Fix and told it to go, all it's done is paint a small grey box titled ComboFix on the desktop with a small white bar in it that could be a progress bar showing no progress. Is this what you'd expect? Very sorry, if I'm not being patient - it's just not quite what I expected!

Thanks and Regards,

John.

Link to post
Share on other sites

Nothing's changed. Still just showing that little grey box and no obvious activity apart from a very small flash of the disk light every minute or so.

Incidentally - do I need to stay connected to the internet while it scans? And can I run it in Safe mode - it seems happier there at the moment.

Regards,

John.

Link to post
Share on other sites

Time for bed here. I don't think ComboFix is running properly judging by the descriptions I've found of how it's supposed to behave. I suspect I wil need to reboot and try again. Since the firewall is down I'm going to disconnect the internet connection but I'll leave the PC on until I hear from you with confirmation of what you want me to do and whether safe mode is OK and whether ComboFix needs an internet connection to run.

Thanks and Regards,

John.

Link to post
Share on other sites

Hi There Kenny 94,

I hope you're well today. I did as you suggested and tried again, but unfortunately I have the same result. ComboFix doesn't appear to be doing anything - just opens a small grey box. I'm tempted to try in Safe Mode as I think I had more success getting Malwarebytes to run there - does that sound like a good idea? I'm not sure if I can connect to the internet in Safe Mode so my proposal is:

1. Delete Commy.exe

2. Reboot

3. Download ComboFix as Commy2.exe

4. Reboot to safe mode

5. Try running Commy2.exe

Does that sound like a good idea?

Regards,

John.

Link to post
Share on other sites

Hi Kenny94,

This is just going from bad to worse.

I can't get it to boot to Safe mode now.

When I boot up holding down F8 it flashes up 'keyboard failure' and then when it gets to the Windows Advanced Options Menu where I would select Safe Mode the keyboard doesn't work and so I can't select Safe Mode - the highlighted option is Start Windows Normally and I can't change it. Likewise on the Boot Device Menu I can't change the default option.

The keyboard works fine if I let it boot 'normally' so I'm inclined to think that the virus/malware/whatever has somehow done something to prevent me getting to Safe Mode.....

Any suggestions what to try next please??

Regards,

John.

Link to post
Share on other sites

Lets try gmer jrukgh. And see if it will run?

GMER

  • Download GMER by GMER from one of the links below:
    Link1
    Link2
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan

    [*]Once the scan has finished, click copy

    [*]Paste the log into notepad using Ctrl+V

    [*]Save it to your desktop as gmerrk.txt

    [*]Click on the >>> tab

    [*]This will open up the rest of the tabs for you

    [*]Click on the Autostart tab

    [*]Click on Scan

    [*]Once the scan has finished, click copy

    [*]Paste the log into notepad using Ctrl+V

    [*]Save it to your desktop as gmerautos.txt

    [*]Send the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

Link to post
Share on other sites

OK, Thanks,

I'll give that a go shortly. Is it OK to download the file to my other PC and transfer it to the infected PC via a memory stick, rather than downloading directly to the infected PC? I'm not sure if it makes any difference now, but I feel it would be good to minimise connection to the internet until things are cleaned up.

Regards,

John.

Link to post
Share on other sites

I copied the GMER.exe across from a memory stick and it started up OK. It did give the warning about rootkit activity and so I said 'Yes' and it started a scan. Unfortunately after scanning for a couple of minutes it then went to a blue screen with the 'DRIVER_IRQL_NOT_LESS_OR_EQUAL' error.

Is it a good idea to try runnint it again?

Link to post
Share on other sites

Try to run GMER again. Also, you ran Malwarebytes before. Can you run it again?

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

If you can not do any of the above. Try the below jrukgh. Since you have acess to another PC.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.
  • Download the
    Avira AntiVir Rescue System
    from
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescue_system-common-en.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner
    [*]
    Click on
    Start scanner
    at the bottom of the screen
    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings
The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues
  1. Please see the post
    if you're unable to view the entire screen of Avira.
  2. You can also review this one

  3. Currently only the German keyboard is supported.
    http://forum.avira.com/wbb/index.php?page=Thread&postID=737024#post737024' rel="external nofollow">
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Hi Kenny94,

A bit of better news today. The GMER scan has run - see results below. It did pop a message saying:

WARNING !!!

GMER has found system modification caused by ROOTKIT activity.

I tried to get Malwarebytes to update and it's failed on the installation (it got stuck at 'Finishing installation' - I think this relates to the original problem I had with it where the 'proper' names for the installation software and MBAM itself are being blocked. So, I can only run the version I have currently (which I renamed) - 1.40, database version 2551 - is that good enough?

Regards,

John.

Here are the scans -

gmerrk.txt

GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-10 19:05:05

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code 82D78110 ZwEnumerateKey

Code 82D78550 ZwFlushInstructionCache

Code 82D76C66 IofCallDriver

Code 82D53A36 IofCompleteRequest

Code 82D7800D ZwSaveKey

Code 82D7EAC5 ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 82D78012

.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 82D7EACA

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82D76C6B

.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82D53A3B

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 82D78114

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 82D78554

? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F633CB30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6323B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6321E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6324260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6323930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F631C980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F631C8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F631CA80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F631C5E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C88332C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88331D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88331D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!CreateThread] [7C88332C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleA] [7C883322] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!GetModuleHandleW] [7C883327] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe[1496] @ C:\WINDOWS\system32\Wininet.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88331D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C88332C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88331D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3216] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88331D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UAChhmtvdylkjbgrrrqj.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAChhmtvdylkjbgrrrqj.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAChhmtvdylkjbgrrrqj.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyijgelnvotnyxjral.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACxbuowturxgoinocmg.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACemppbaqjcnrsivblo.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACymevpxmyxvnmsklyb.db

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACvbrnswqwmkloobhes.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACibmqdpfuwkfekpuwq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACwdvtemcfxixovfexb.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAChhmtvdylkjbgrrrqj.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAChhmtvdylkjbgrrrqj.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyijgelnvotnyxjral.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACxbuowturxgoinocmg.dat

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACemppbaqjcnrsivblo.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACymevpxmyxvnmsklyb.db

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACvbrnswqwmkloobhes.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACibmqdpfuwkfekpuwq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACwdvtemcfxixovfexb.dll

---- Files - GMER 1.0.15 ----

File C:\Program Files\Picasa2\web\templates\blackfrm\indexpage.htm 2311 bytes

File C:\Program Files\Picasa2\web\templates\blackfrm\subpage.htm 5177 bytes

File C:\Program Files\Picasa2\web\templates\blackfrm\thumbnail.htm 1492 bytes

---- EOF - GMER 1.0.15 ----

gmerrautos

GMER 1.0.15.15020 - http://www.gmer.net

Autostart scan 2009-08-10 19:08:01

Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>

avgrsstarter@DLLName = avgrsstx.dll

WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

AdobeActiveFileMonitor@ = C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

avg8emc@ = C:\PROGRA~1\AVG\AVG8\avgemc.exe

avg8wd@ = C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"

Capture Device Service@ = "C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe"

CiSvc@ = %SystemRoot%\system32\cisvc.exe

NVSvc@ = %SystemRoot%\System32\nvsvc32.exe

PhotoshopElementsDeviceConnect@ = C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

UleadBurningHelper@ = C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

vsmon@ = C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

@BCMSMMSGBCMSMMSG.exe = BCMSMMSG.exe

@DVDSentryC:\WINDOWS\System32\DSentry.exe = C:\WINDOWS\System32\DSentry.exe

@AdaptecDirectCD"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

@DwlClientC:\Program Files\Common Files\Dell\EUSW\Support.exe l e s \ D e l l \ E U S W \ S u p p o r t . e x e ??? ?:? ??? x?? ?? X?? ? ?? P?? ? ?w? ?w)??p ? ???( u ?U?w ?????? ??? 0?? ???w, ?w?M?wW??w???w)??p ???x'@ ? X?? ??? ?"@ e /*file not found*/ = C:\Program Files\Common Files\Dell\EUSW\Support.exe l e s \ D e l l \ E U S W \ S u p p o r t . e x e ??? ?:? ??? x?? ?? X?? ? ?? P?? ? ?w? ?w)??p ? ???( u ?U?w ?????? ??? 0?? ???w, ?w?M?wW??w???w)??p ???x'@ ? X?? ??? ?"@ e /*file not found*/

@nwiznwiz.exe /install = nwiz.exe /install

@SearchUpgraderC:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe /*file not found*/ = C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe /*file not found*/

@SunJavaUpdateSchedC:\Program Files\Java\jre1.5.0_04\bin\jusched.exe = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

@Auto Run Software for Photo Frame"C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun = "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun

@WD Button ManagerWDBtnMgr.exe = WDBtnMgr.exe

@ISUSPM"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

@Picasa Media DetectorC:\Program Files\Picasa2\PicasaMediaDetector.exe = C:\Program Files\Picasa2\PicasaMediaDetector.exe

@AVG8_TRAYC:\PROGRA~1\AVG\AVG8\avgtray.exe = C:\PROGRA~1\AVG\AVG8\avgtray.exe

@HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

@UVS11 PreloadC:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe = C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

@Bug ManagerC:\Program Files\Fitbug Limited\Bug Manager\BugManager.exe = C:\Program Files\Fitbug Limited\Bug Manager\BugManager.exe

@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime

@ZoneAlarm Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"

@hpqSRMonC:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe = C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background

@PopUpStopperFreeEdition"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

@swgC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

@SpybotSD TeaTimerC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/

@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =

@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll

@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealOne Player\rpshell.dll = C:\Program Files\Real\RealOne Player\rpshell.dll

@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll

@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll

@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll

@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

@{D9872D13-7651-4471-9EEE-F0A00218BEBB} /*Multiscan*/(null) =

@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG8 Shell Extension*/C:\Program Files\AVG\AVG8\avgse.dll = C:\Program Files\AVG\AVG8\avgse.dll

@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG8 Find Extension*/(null) =

@{DBD8E168-244D-448C-9922-25508950D1DC} /*Ulead UDF Driver*/C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll = C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll

@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>

AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll

MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>

@{0347C33E-8762-4905-BF09-768834316C61}C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll = C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll = C:\Program Files\AVG\AVG8\avgssie.dll

@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar1.dll = c:\program files\google\googletoolbar1.dll

@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

@{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL = C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

@{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll = C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://www.euro.dell.com/countries/uk/enu/gen/default.htm = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

@Start Pagehttp://www.google.co.uk/ = http://www.google.co.uk/

@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>

dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll

its@CLSID = C:\WINDOWS\System32\itss.dll

linkscanner@CLSID = C:\Program Files\AVG\AVG8\avgpp.dll

mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll

ms-its@CLSID = C:\WINDOWS\System32\itss.dll

tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\jandj\Start Menu\Programs\Startup = DESKTOP.INI

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>

Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk

DESKTOP.INI = DESKTOP.INI

Digital Line Detect.lnk = Digital Line Detect.lnk

DSLMON.lnk = DSLMON.lnk

HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Your PC has a tdss rootkit. Lets try to remove it. We can't use ComboFix, but maybe we can get lucky with Avenger?

Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:UACd.sysFiles to delete:C:\WINDOWS\system32\drivers\UAChhmtvdylkjbgrrrqj.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Hi Kenny94,

I ran Avenger as you described but I never saw a black command window and it only re-booted once I'm afraid. It doesn't seem to have produced the logfile in C:\ either. There was a tick box at the bottom of the Avenger window that said something about disabling a rookit which was not ticked and since the text didn't mention it, I left it alone - it wasn't supposed to be ticked on was it?

Also, I don't know if it's relevant or not, but the last couple of times I've booted the computer HPProductAssistant has started up by itself and attempted to install some software and asks for a CD-ROM. If I cancel this process it starts again - I have to kill it with Task Manager to get it to go away. I have had some issues with HP printer software ever since I got a new printer, so this could be unrelated.

I think I found out why I couldn't get to Safe Mode recently - I was pressing F8 too early and apparently this causes a keyboard problem so if you think trying anything again in Safe Mode might make a difference I could give it another go.

Regards,

Jonn.

Link to post
Share on other sites

I was pressing F8 too early and apparently this causes a keyboard problem so if you think trying anything again in Safe Mode might make a difference I could give it another go.

LOL. This happens a lot.... :(

If you still cannot get ComboFix (rename) to run in normal mode then try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

And post the C:\ComboFix.txt ( Commy).exe for me Jonn.

Link to post
Share on other sites

Hi Kenny94,

Good news is that ComboFix has started properly in Safe mode, but unfortunately I forgot to disable anti-virus etc first. It has detected AVG Anti-Virus Free running and asked me to stop it. Normally I would do this using the icon on the task bar at the bottom right, but in Safe mode I don't have this task bar. Can you give me any clues on how to disable it?

Also, do I need to disable the firewall or Spybot (and if so, how please?)

Sorry!

Regards,

John.

Link to post
Share on other sites

Hi Again Kenny 94,

I just tried to start AVG up and it says that in safe mode it can only run in command line mode, so I don't think it is actually running so I think the ComboFix warning may be incorrect. The Warning says -

ComboFix has detected the following real time scanner(s) to be active:

antivius: AVG Ant-Virus Free

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking 'OK'.

OK button

Should I press OK and let it proceed? If not, how do I safely stop it?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.