Jump to content

Recommended Posts

Recently I've been noticing issues with my computer. It first happened when I got an alert that my Windows firewall was disabled. So I enabled it. After that, I opened up malwarebytes and updated it. I did a scan and it came up negative. I then opened avg and did an update. Then I did a scan on it. It took about 2 hours or so but it also came up negative.

I know something is up b/c I have popup killer on my computer and I can hear windows being killed in the background ever so often. This never happened before. I then tried hijack this, but it would open start for a second then close. I tried opening it again but it gave me an alert that I don't have permission. I then tried to reopen malwarebytes to run another scan but it would not run. I went to the c: directory to rename it. Then I tried again. It opened for a second, then close, like what happened with the hijackthis program.

I started another topic earlier which is less specific, and if possible, could an admin close it. This is a more detail description of my issue. Thank you for your help.

Link to post
Share on other sites

  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

Hi musicshouldbefree101, Welcome to Malwarebytes :(

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

The infection you have is preventing CF from running.

Please download this tool by sUBs, and save it to your desktop.

  • Close any applications that you have open, as your computer will be rebooted
  • Double click +++.exe to run the tool
  • When it has run it will reboot your computer, you may then delete the tool

Then please delete the ComboFix on your desktop then:

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi spysentinel,

I just wanted to say thanks for taking the time to help. I d/l +++ and transferred it the the infected computer. I double clicked on the icon and it said it may need to restart my computer. It, however, did not. It then said that my computer is not infected. But I know it is b/c I can't access any scans and I can hear pop up windows being killed by my pop up killer.

Well, anyway, I also redownloaded combo-fix. I changed the name before d/l and then tried to run it. The same thing happen. It would not run. I'm not sure what to do.

Link to post
Share on other sites

Yes the Not being infected message is a know issue.

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
Link to post
Share on other sites

I downloaded it and ran it. Below is the log file.

SysProt AntiRootkit v1.0.1.0

by swatkat

********************************************************************************

**********

********************************************************************************

**********

Process:

Name: [system Idle Process]

PID: 0

Hidden: No

Window Visible: No

Name: System

PID: 4

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\smss.exe

PID: 564

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe

PID: 636

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe

PID: 660

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\services.exe

PID: 708

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe

PID: 720

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 872

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 996

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1124

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1256

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1496

Hidden: No

Window Visible: No

Name: C:\WINDOWS\explorer.exe

PID: 1572

Hidden: No

Window Visible: Yes

Name: C:\Program Files\Internet Explorer\iexplore.exe

PID: 1652

Hidden: No

Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

PID: 1792

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe

PID: 1840

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe

PID: 2016

Hidden: No

Window Visible: No

Name: C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

PID: 276

Hidden: No

Window Visible: No

Name: C:\WINDOWS\msa.exe

PID: 480

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 604

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PID: 780

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

PID: 884

Hidden: No

Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe

PID: 1092

Hidden: No

Window Visible: No

Name: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

PID: 1316

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe

PID: 1492

Hidden: No

Window Visible: No

Name: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe

PID: 1608

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe

PID: 1752

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe

PID: 424

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

PID: 448

Hidden: No

Window Visible: No

Name: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

PID: 496

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 624

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\java.exe

PID: 2228

Hidden: No

Window Visible: No

Name: C:\Program Files\PopUp Killer\PopUpKiller.exe

PID: 3240

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe

PID: 3252

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

PID: 3804

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe

PID: 3732

Hidden: No

Window Visible: No

Name: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

PID: 444

Hidden: No

Window Visible: No

Name: C:\Documents and Settings\Dave Huynh\Desktop\SysProt.exe

PID: 3552

Hidden: No

Window Visible: Yes

Name: C:\WINDOWS\system32\wuauclt.exe

PID: 3964

Hidden: No

Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe

PID: 216

Hidden: No

Window Visible: No

********************************************************************************

**********

********************************************************************************

**********

Kernel Modules:

Module Name: \systemroot\system32\drivers\SKYNETrsblnsrr.sys

Service Name: SKYNETiemlwerx

Module Base: ---

Module End: ---

Hidden: Yes

Module Name: \systemroot\system32\drivers\UACbxrmwcylkn.sys

Service Name: UACd.sys

Module Base: ---

Module End: ---

Hidden: Yes

Module Name: \??\C:\Documents and Settings\Dave Huynh\Desktop\SysProtDrv.sys

Service Name: SysProtDrv.sys

Module Base: F6B5A000

Module End: F6B65000

Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe

Service Name: ---

Module Base: 804D7000

Module End: 806FF000

Hidden: No

Module Name: \WINDOWS\system32\hal.dll

Service Name: ---

Module Base: 806FF000

Module End: 8071FD00

Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL

Service Name: ---

Module Base: F7A61000

Module End: F7A63000

Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll

Service Name: ---

Module Base: F7971000

Module End: F7974000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys

Service Name: ACPI

Module Base: F7512000

Module End: F7540000

Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS

Service Name: ---

Module Base: F7A63000

Module End: F7A65000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys

Service Name: PCI

Module Base: F7501000

Module End: F7512000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys

Service Name: isapnp

Module Base: F7561000

Module End: F756B000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys

Service Name: PCIIde

Module Base: F7B29000

Module End: F7B2A000

Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Service Name: ---

Module Base: F77E1000

Module End: F77E8000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys

Service Name: MountMgr

Module Base: F7571000

Module End: F757C000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys

Service Name: Disk

Module Base: F74E2000

Module End: F7501000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys

Service Name: PartMgr

Module Base: F77E9000

Module End: F77EE000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys

Service Name: VolSnap

Module Base: F7581000

Module End: F758E000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys

Service Name: atapi

Module Base: F74CA000

Module End: F74E2000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys

Service Name: ---

Module Base: F7591000

Module End: F759A000

Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Service Name: ---

Module Base: F75A1000

Module End: F75AE000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys

Service Name: FltMgr

Module Base: F74AA000

Module End: F74CA000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys

Service Name: sr

Module Base: F7498000

Module End: F74AA000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys

Service Name: PxHelp20

Module Base: F75B1000

Module End: F75BA000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys

Service Name: KSecDD

Module Base: F7481000

Module End: F7498000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys

Service Name: Ntfs

Module Base: F73F4000

Module End: F7481000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys

Service Name: NDIS

Module Base: F73C7000

Module End: F73F4000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys

Service Name: Mup

Module Base: F73AD000

Module End: F73C7000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys

Service Name: agp440

Module Base: F75C1000

Module End: F75CC000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys

Service Name: intelppm

Module Base: F7731000

Module End: F773A000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys

Service Name: nv

Module Base: F70CE000

Module End: F7203000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS

Service Name: ---

Module Base: F70BA000

Module End: F70CE000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys

Service Name: usbuhci

Module Base: F78D1000

Module End: F78D7000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS

Service Name: ---

Module Base: F7096000

Module End: F70BA000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Service Name: usbehci

Module Base: F78D9000

Module End: F78E1000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys

Service Name: HSFHWBS2

Module Base: F7064000

Module End: F7096000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys

Service Name: ---

Module Base: F7041000

Module End: F7064000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys

Service Name: HSF_DP

Module Base: F6F3D000

Module End: F7041000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys

Service Name: winachsf

Module Base: F6EA2000

Module End: F6F3D000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS

Service Name: Modem

Module Base: F78E1000

Module End: F78E9000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\e1000325.sys

Service Name: E1000

Module Base: F6E84000

Module End: F6EA2000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys

Service Name: i8042prt

Module Base: F7741000

Module End: F774E000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Service Name: Kbdclass

Module Base: F78F1000

Module End: F78F7000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys

Service Name: Serial

Module Base: F7751000

Module End: F7761000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys

Service Name: serenum

Module Base: F7A19000

Module End: F7A1D000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys

Service Name: Parport

Module Base: F6E70000

Module End: F6E84000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Service Name: Cdrom

Module Base: F7761000

Module End: F7771000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYS

Service Name: pwd_2k

Module Base: F6E51000

Module End: F6E70000

Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys

Service Name: GEARAspiWDM

Module Base: F7771000

Module End: F777B000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys

Service Name: smwdm

Module Base: F6DC3000

Module End: F6E51000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys

Service Name: ---

Module Base: F6D9F000

Module End: F6DC3000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys

Service Name: ---

Module Base: F7781000

Module End: F7790000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys

Service Name: aeaudio

Module Base: F7A87000

Module End: F7A89000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys

Service Name: audstub

Module Base: F7BFE000

Module End: F7BFF000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys

Service Name: Rasl2tp

Module Base: F7791000

Module End: F779E000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys

Service Name: NdisTapi

Module Base: F7A1D000

Module End: F7A20000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys

Service Name: NdisWan

Module Base: F6D88000

Module End: F6D9F000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys

Service Name: RasPppoe

Module Base: F77A1000

Module End: F77AC000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys

Service Name: PptpMiniport

Module Base: F77B1000

Module End: F77BD000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS

Service Name: ---

Module Base: F78F9000

Module End: F78FE000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys

Service Name: PSched

Module Base: F6D77000

Module End: F6D88000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys

Service Name: Gpc

Module Base: F77C1000

Module End: F77CA000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys

Service Name: Ptilink

Module Base: F7901000

Module End: F7906000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys

Service Name: Raspti

Module Base: F7909000

Module End: F790E000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys

Service Name: TermDD

Module Base: F77D1000

Module End: F77DB000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys

Service Name: Mouclass

Module Base: F7911000

Module End: F7917000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys

Service Name: swenum

Module Base: F7A89000

Module End: F7A8B000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys

Service Name: Update

Module Base: F5F7A000

Module End: F5FD8000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys

Service Name: mssmbios

Module Base: F7A2D000

Module End: F7A31000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\dvd_2K.SYS

Service Name: dvd_2K

Module Base: F7919000

Module End: F791E000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Service Name: NDProxy

Module Base: F75E1000

Module End: F75EB000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys

Service Name: usbhub

Module Base: F75F1000

Module End: F7600000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS

Service Name: ---

Module Base: F7A91000

Module End: F7A93000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys

Service Name: Flpydisk

Module Base: F7921000

Module End: F7926000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS

Service Name: Cdr4_xp

Module Base: F7B33000

Module End: F7B34000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS

Service Name: Cdralw2k

Module Base: F7B2D000

Module End: F7B2E000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Service Name: Fs_Rec

Module Base: F7A93000

Module End: F7A95000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS

Service Name: Null

Module Base: F7B2F000

Module End: F7B30000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys

Service Name: VgaSave

Module Base: F7931000

Module End: F7937000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Service Name: mnmdd

Module Base: F7A95000

Module End: F7A97000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Service Name: RDPCDD

Module Base: F7A97000

Module End: F7A99000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS

Service Name: cdudf_xp

Module Base: ECD27000

Module End: ECD62000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS

Service Name: Msfs

Module Base: F7939000

Module End: F793E000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS

Service Name: Npfs

Module Base: F7941000

Module End: F7949000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys

Service Name: hidusb

Module Base: F7207000

Module End: F720A000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS

Service Name: ---

Module Base: F7621000

Module End: F762A000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS

Service Name: ---

Module Base: F7949000

Module End: F7950000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS

Service Name: UdfReadr_xp

Module Base: ECCA8000

Module End: ECCDB000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys

Service Name: RasAcd

Module Base: F7203000

Module End: F7206000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys

Service Name: IPSec

Module Base: ECC5B000

Module End: ECC6E000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys

Service Name: Tcpip

Module Base: ECC02000

Module End: ECC5B000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys

Service Name: AvgTdiX

Module Base: ECBE9000

Module End: ECC02000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys

Service Name: NetBT

Module Base: ECBC1000

Module End: ECBE9000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys

Service Name: AFD

Module Base: ECB9F000

Module End: ECBC1000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys

Service Name: NetBIOS

Module Base: F7631000

Module End: F763A000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys

Service Name: Rdbss

Module Base: ECB74000

Module End: ECB9F000

Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

Service Name: OMCI

Module Base: F79F9000

Module End: F79FD000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys

Service Name: MRxSmb

Module Base: ECB04000

Module End: ECB74000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Service Name: mfehidk

Module Base: ECAD1000

Module End: ECB04000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys

Service Name: IpNat

Module Base: ECAAB000

Module End: ECAD1000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS

Service Name: Fips

Module Base: F7681000

Module End: F768C000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys

Service Name: Wanarp

Module Base: F7691000

Module End: F769A000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Service Name: usbprint

Module Base: F7951000

Module End: F7958000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS

Service Name: USBSTOR

Module Base: F7959000

Module End: F7960000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys

Service Name: mouhid

Module Base: F7A09000

Module End: F7A0C000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys

Service Name: AvgMfx86

Module Base: F7961000

Module End: F7967000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys

Service Name: AvgLdx86

Module Base: ECA5A000

Module End: ECAAB000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Service Name: Fastfat

Module Base: ECA0E000

Module End: ECA32000

Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: EC9F6000

Module End: ECA0E000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: F7AB3000

Module End: F7AB5000

Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys

Service Name: ---

Module Base: F5F5E000

Module End: F5F61000

Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys

Service Name: ---

Module Base: F7801000

Module End: F7806000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys

Service Name: ---

Module Base: F7B87000

Module End: F7B88000

Hidden: No

Module Name: \systemroot\win32k.sys:1

Service Name: ---

Module Base: F7841000

Module End: F7846000

Hidden: Yes

Module Name: \systemroot\win32k.sys:2

Service Name: ---

Module Base: ECDC2000

Module End: ECDD1000

Hidden: Yes

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Service Name: Ndisuio

Module Base: EC4A7000

Module End: EC4AB000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys

Service Name: wdmaud

Module Base: EB902000

Module End: EB917000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys

Service Name: sysaudio

Module Base: EBB27000

Module End: EBB36000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys

Service Name: kmixer

Module Base: EB8B4000

Module End: EB8DF000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys

Service Name: MRxDAV

Module Base: EB6EF000

Module End: EB71C000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Service Name: ParVdm

Module Base: F7B21000

Module End: F7B23000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys

Service Name: mdmxsdk

Module Base: EB6CF000

Module End: EB6D2000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys

Service Name: Srv

Module Base: EB55D000

Module End: EB5AF000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys

Service Name: HTTP

Module Base: F6D36000

Module End: F6D77000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys

Service Name: Fdc

Module Base: F78E9000

Module End: F78F0000

Hidden: No

********************************************************************************

**********

********************************************************************************

**********

No SSDT Hooks found

********************************************************************************

**********

********************************************************************************

**********

Kernel Hooks:

Hooked Function: ZwFlushInstructionCache

At Address: 80587BFB

Jump To: 86D09C7A

Module Name: _unknown_

Hooked Function: ZwEnumerateKey

At Address: 80578E14

Jump To: 86CFA9DA

Module Name: _unknown_

Hooked Function: PsGetProcessWin32WindowStation

At Address: 804F41EC

Jump To: FD806070

Module Name: _unknown_

Hooked Function: PsGetProcessJob

At Address: 804F41EC

Jump To: FD806070

Module Name: _unknown_

Hooked Function: IofCompleteRequest

At Address: 804E17BD

Jump To: 86ECC852

Module Name: _unknown_

Hooked Function: IofCallDriver

At Address: 804E13A7

Jump To: 86CFA7CA

Module Name: _unknown_

********************************************************************************

**********

********************************************************************************

**********

No IRP Hooks found

********************************************************************************

**********

********************************************************************************

**********

Ports:

Local Address: DAVE.EARTHLINK.NET:1104

Remote Address: 78.46.213.91:HTTPS

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: SYN_SENT

Local Address: DAVE.EARTHLINK.NET:1103

Remote Address: 216.240.157.130:HTTP

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: SYN_SENT

Local Address: DAVE.EARTHLINK.NET:1090

Remote Address: 8.17.64.86:HTTP

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: ESTABLISHED

Local Address: DAVE.EARTHLINK.NET:NETBIOS-SSN

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: DAVE:32000

Remote Address: LOCALHOST:31000

Type: TCP

Process: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe

State: ESTABLISHED

Local Address: DAVE:32000

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe

State: LISTENING

Local Address: DAVE:31000

Remote Address: LOCALHOST:32000

Type: TCP

Process: C:\WINDOWS\system32\java.exe

State: ESTABLISHED

Local Address: DAVE:27015

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

State: LISTENING

Local Address: DAVE:18080

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: DAVE:13128

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: DAVE:10080

Remote Address: LOCALHOST:1102

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: ESTABLISHED

Local Address: DAVE:10080

Remote Address: LOCALHOST:1089

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: ESTABLISHED

Local Address: DAVE:10080

Remote Address: LOCALHOST:1086

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1084

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1082

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1080

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1078

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1076

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1074

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1072

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1070

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1068

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1066

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1064

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1060

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1058

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1056

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1054

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1052

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1049

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1044

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1040

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1038

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: LOCALHOST:1036

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:10080

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: DAVE:9481

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\java.exe

State: LISTENING

Local Address: DAVE:8888

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\java.exe

State: LISTENING

Local Address: DAVE:5354

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: LISTENING

Local Address: DAVE:2323

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\java.exe

State: LISTENING

Local Address: DAVE:1102

Remote Address: LOCALHOST:10080

Type: TCP

Process: C:\Documents and Settings\Dave Huynh\Desktop\SysProt.exe

State: ESTABLISHED

Local Address: DAVE:1089

Remote Address: LOCALHOST:10080

Type: TCP

Process: C:\WINDOWS\msa.exe

State: ESTABLISHED

Local Address: DAVE:1062

Remote Address: LOCALHOST:10080

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:1042

Remote Address: LOCALHOST:10080

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: DAVE:3261

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

State: LISTENING

Local Address: DAVE:3260

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

State: LISTENING

Local Address: DAVE:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: DAVE:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: LISTENING

Local Address: DAVE.EARTHLINK.NET:5353

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: DAVE.EARTHLINK.NET:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE.EARTHLINK.NET:138

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: DAVE.EARTHLINK.NET:NETBIOS-NS

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: DAVE.EARTHLINK.NET:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE:1100

Remote Address: NA

Type: UDP

Process: C:\Program Files\Internet Explorer\iexplore.exe

State: NA

Local Address: DAVE:1094

Remote Address: NA

Type: UDP

Process: C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

State: NA

Local Address: DAVE:1051

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\msa.exe

State: NA

Local Address: DAVE:1025

Remote Address: NA

Type: UDP

Process: C:\Program Files\Internet Explorer\iexplore.exe

State: NA

Local Address: DAVE:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE:64153

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE:58974

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: DAVE:57095

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: DAVE:8473

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\java.exe

State: NA

Local Address: DAVE:5353

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\java.exe

State: NA

Local Address: DAVE:4500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: DAVE:1028

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: DAVE:500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: DAVE:MICROSOFT-DS

Remote Address: NA

Type: UDP

Process: System

State: NA

********************************************************************************

**********

********************************************************************************

**********

Hidden files/folders:

Object: C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp

Status: Hidden

Object: C:\Documents and Settings\Dave Huynh\Local Settings\Temporary Internet Files\Content.IE5\FRMK4L5J\st[9]

Status: Hidden

Object: C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe

Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase

Status: Access denied

Object: C:\System Volume Information\tracking.log

Status: Access denied

Object: C:\System Volume Information\_restore{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}

Status: Access denied

Object: C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys

Status: Hidden

Object: C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys

Status: Hidden

Object: C:\WINDOWS\system32\SKYNETaanpewbp.dll

Status: Hidden

Object: C:\WINDOWS\system32\SKYNETboequxov.dll

Status: Hidden

Object: C:\WINDOWS\system32\SKYNETfmnmpxep.dat

Status: Hidden

Object: C:\WINDOWS\system32\SKYNETyxthtidw.dat

Status: Hidden

Object: C:\WINDOWS\system32\UACatdljceifo.dll

Status: Hidden

Object: C:\WINDOWS\system32\UACbepcfualqb.dll

Status: Hidden

Object: C:\WINDOWS\system32\UACidoobypfdv.dll

Status: Hidden

Object: C:\WINDOWS\system32\uacinit.dll

Status: Hidden

Object: C:\WINDOWS\system32\UACmetlabwqqh.dat

Status: Hidden

Object: C:\WINDOWS\system32\UACmrxdulqeec.db

Status: Hidden

Object: C:\WINDOWS\system32\UACtklrmhwwkr.dll

Status: Hidden

Object: C:\WINDOWS\system32\UACxextiffvdy.dll

Status: Hidden

Object: C:\WINDOWS\Temp\UAC5474.tmp

Status: Hidden

Link to post
Share on other sites

Step #1

Run SysProt AntiRootkit again

  • Click on the Kernel Modules Tab
  • Then one at a time, highlight the following entries and choose Disable
    \systemroot\system32\drivers\UACbxrmwcylkn.sys

  • Then exit SysProt AntiRootkit

Step #2

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #3

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #4

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Step 1. And I found two files

\systemroot\system32\drivers\SKYNETrsblnsrr.sys SKYNETiemlwerx Yes

\systemroot\system32\drivers\UACdaeointkmc.sys UACd.sys Yes

I highlighted both and clicked disabled and then closed it. (but for some reason would always reappear on reboot.)

Step 2.

I opened notepad and copy the following in it -

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

I renamed it "fixes.bat" and then double-clicked on it.

Step 3.

I downloaded avenger and copy the following text -

Files to move:

c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

I double clicked on avenger and copy the above text in the box and clicked execute.

Below is the following log I received.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Tue Aug 11 18:05:33 2009

18:05:33: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Step 4.

I ran combo fix again and again nothing happened. I know somewhere down the line I probably did something wrong, I just don't know what. I could not run malawarebytes.

Link to post
Share on other sites

The problem is these two:

C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys

C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

Lets try removing this manually

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp

C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe

C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys

C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys

C:\WINDOWS\system32\SKYNETaanpewbp.dll

C:\WINDOWS\system32\SKYNETboequxov.dll

C:\WINDOWS\system32\SKYNETfmnmpxep.dat

C:\WINDOWS\system32\SKYNETyxthtidw.dat

C:\WINDOWS\system32\UACatdljceifo.dll

C:\WINDOWS\system32\UACbepcfualqb.dll

C:\WINDOWS\system32\UACidoobypfdv.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACmetlabwqqh.dat

C:\WINDOWS\system32\UACmrxdulqeec.db

C:\WINDOWS\system32\UACtklrmhwwkr.dll

C:\WINDOWS\system32\UACxextiffvdy.dll

C:\WINDOWS\Temp\UAC5474.tmp

C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

Driver::

SKYNETiemlwerx

UACd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

I copied the following text below the dotted line in notepad and renamed it CFScript.txt

I then put it on the infected computer and drag it over the combo-fix icon. The green status bar loaded and all the icons flashed once. There was nothing else.

--------------------------------

File::

C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp

C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe

C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys

C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys

C:\WINDOWS\system32\SKYNETaanpewbp.dll

C:\WINDOWS\system32\SKYNETboequxov.dll

C:\WINDOWS\system32\SKYNETfmnmpxep.dat

C:\WINDOWS\system32\SKYNETyxthtidw.dat

C:\WINDOWS\system32\UACatdljceifo.dll

C:\WINDOWS\system32\UACbepcfualqb.dll

C:\WINDOWS\system32\UACidoobypfdv.dll

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACmetlabwqqh.dat

C:\WINDOWS\system32\UACmrxdulqeec.db

C:\WINDOWS\system32\UACtklrmhwwkr.dll

C:\WINDOWS\system32\UACxextiffvdy.dll

C:\WINDOWS\Temp\UAC5474.tmp

C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

Driver::

SKYNETiemlwerx

UACd.sys

Link to post
Share on other sites

We need to check if there is a good copy of scecli.dll.

  • Please download
    FindIt.zip
  • Extract FindIt.zip
  • Run the RunMe.bat file in the enclosed folder.
  • Go through Device Manager -> View -> Show Hidden Devices -> Non plug and Play Drivers, and see if the following drivers are visible
    SKYNETrsblnsrr.sys
    UACbxrmwcylkn.sys
  • If they are, disable them and after a restart Combofix may have a chance to run.
  • After a restart try running ComboFix

FindIt.zip

Link to post
Share on other sites

Okay, I d/l, & unzipped findit. I then transferred it to my infected computer and ran it. Below is the log file that I got.

-c----w 180,224 2004-08-04 07:56:44 c:\Windows\$NtServicePackUninstall$\scecli.dll

------w 181,248 2008-04-14 00:12:05 c:\Windows\ServicePackFiles\i386\scecli.dll

----a-w 60,928 2008-04-14 00:12:05 c:\Windows\system32\scecli.dll

Entries: 3 (3)

Directories: 0 Files: 3

Bytes: 422,400 Blocks: 825

I then did the following

Go through Device Manager -> View -> Show Hidden Devices -> Non plug and Play Drivers, and see if the following drivers are visible

Attached is a photo of all items displayed under the Non-plug and Play Drivers

2i1cglw.jpg

I didn't see the files in question and have not done anything else. I will wait for further instructions.

Link to post
Share on other sites

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@Echo Off

Ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir

Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\dllcache\scecli.dll

Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\scecli.dll

Exit

3. Save the file as "fixes2.bat". Make sure to save it with the quotation marks.

4. Double click fixes2.bat.

Then please run the FindIt instructions above again.

Link to post
Share on other sites

I opened notepad and copy the following in it

@Echo Off

Ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir

Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\dllcache\scecli.dll

Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\scecli.dll

Exit

than saved it as the "fixes2.bat" than copied it to my infected computer. I then double-clicked on it. A window popped open for a second than closed.

I then re-ran the the findit and I got the following log file.

-c----w 180,224 2004-08-04 07:56:44 c:\Windows\$NtServicePackUninstall$\scecli.dll

------w 181,248 2008-04-14 00:12:05 c:\Windows\ServicePackFiles\i386\scecli.dll

----a-w 60,928 2008-04-14 00:12:05 c:\Windows\system32\scecli.dll

-c--a-w 181,248 2008-04-14 00:12:05 c:\Windows\system32\dllcache\scecli.dll

Entries: 4 (4)

Directories: 0 Files: 4

Bytes: 603,648 Blocks: 1,179

I then went to the device manager under non-plug and play drivers and here is an image of everything under that name.

2uynleu.jpg

Link to post
Share on other sites

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :processes
    explorer.exe

    :Services
    SKYNETiemlwerx
    UACd.sys

    :Files
    C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp
    C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe
    C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys
    C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys
    C:\WINDOWS\system32\SKYNETaanpewbp.dll
    C:\WINDOWS\system32\SKYNETboequxov.dll
    C:\WINDOWS\system32\SKYNETfmnmpxep.dat
    C:\WINDOWS\system32\SKYNETyxthtidw.dat
    C:\WINDOWS\system32\UACatdljceifo.dll
    C:\WINDOWS\system32\UACbepcfualqb.dll
    C:\WINDOWS\system32\UACidoobypfdv.dll
    C:\WINDOWS\system32\uacinit.dll
    C:\WINDOWS\system32\UACmetlabwqqh.dat
    C:\WINDOWS\system32\UACmrxdulqeec.db
    C:\WINDOWS\system32\UACtklrmhwwkr.dll
    C:\WINDOWS\system32\UACxextiffvdy.dll
    C:\WINDOWS\Temp\UAC5474.tmp
    C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

    :commands
    [purity]
    [emptytemp]
    [start explorer]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Link to post
Share on other sites

I downloaded otm and transferred the program to the infected computer. I double clicked the icon, copy the script and pasted it the box. I then clicked the moveit button.

It started to run and then a window popped up that read

"The application or DLL C:\WINDOWS\system32\uacinit.dll is not a valid Windows image. Please check against your installation diskette.

I clicked ok on the window and it proceed to finish running.

Here is the log file from that.

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

Service\Driver SKYNETiemlwerx not found.

Service\Driver key SKYNETiemlwerx deleted successfully.

Service\Driver UACd.sys not found.

Service\Driver key UACd.sys deleted successfully.

========== FILES ==========

C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp moved successfully.

C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe moved successfully.

File/Folder C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys not found.

C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys moved successfully.

File/Folder C:\WINDOWS\system32\SKYNETaanpewbp.dll not found.

File/Folder C:\WINDOWS\system32\SKYNETboequxov.dll not found.

File/Folder C:\WINDOWS\system32\SKYNETfmnmpxep.dat not found.

File/Folder C:\WINDOWS\system32\SKYNETyxthtidw.dat not found.

DllUnregisterServer procedure not found in C:\WINDOWS\system32\UACatdljceifo.dll

C:\WINDOWS\system32\UACatdljceifo.dll NOT unregistered.

C:\WINDOWS\system32\UACatdljceifo.dll moved successfully.

DllUnregisterServer procedure not found in C:\WINDOWS\system32\UACbepcfualqb.dll

C:\WINDOWS\system32\UACbepcfualqb.dll NOT unregistered.

C:\WINDOWS\system32\UACbepcfualqb.dll moved successfully.

DllUnregisterServer procedure not found in C:\WINDOWS\system32\UACidoobypfdv.dll

C:\WINDOWS\system32\UACidoobypfdv.dll NOT unregistered.

C:\WINDOWS\system32\UACidoobypfdv.dll moved successfully.

LoadLibrary failed for C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\uacinit.dll NOT unregistered.

C:\WINDOWS\system32\uacinit.dll moved successfully.

C:\WINDOWS\system32\UACmetlabwqqh.dat moved successfully.

C:\WINDOWS\system32\UACmrxdulqeec.db moved successfully.

LoadLibrary failed for C:\WINDOWS\system32\UACtklrmhwwkr.dll

C:\WINDOWS\system32\UACtklrmhwwkr.dll NOT unregistered.

C:\WINDOWS\system32\UACtklrmhwwkr.dll moved successfully.

LoadLibrary failed for C:\WINDOWS\system32\UACxextiffvdy.dll

C:\WINDOWS\system32\UACxextiffvdy.dll NOT unregistered.

C:\WINDOWS\system32\UACxextiffvdy.dll moved successfully.

File/Folder C:\WINDOWS\Temp\UAC5474.tmp not found.

C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dave Huynh

->Temp folder emptied: 2257145 bytes

File delete failed. C:\Documents and Settings\Dave Huynh\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 500461166 bytes

->Java cache emptied: 7594 bytes

->FireFox cache emptied: 59738392 bytes

->Google Chrome cache emptied: 9547410 bytes

->Apple Safari cache emptied: 13808430 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 439506 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 16468480 bytes

Windows Temp folder emptied: 82496290 bytes

RecycleBin emptied: 71655413 bytes

Total Files Cleaned = 721.88 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08132009_175125

Files moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.