Jump to content

PC Antispyware 2010


Recommended Posts

I have PC Antispyware 2010. I cannot run Malware bytes for more than 5 seconds even when I rename it. DSS and hijackthis will not open. GMER ran when I changed the filename and ran in safemode. I copied the results below. GMER ran about 30 minutes in normal mode but closed. Now I cannot run GMER, a window opens saying Windows cannot access the specified device. Please help!

Most programs do not run. I have cluttered my desktop with antivirus programs and I finally give up. Avira was running in the background while this ran. Should I disable it, if so, how? Should I uninstall it? I also downloaded and uninstalled other antispyware things, let me know if I need to remove more random files from these.

Thank's for looking at this! :D

GMER 1.0.15.15077 [gjill.exe] - http://www.gmer.net

Rootkit scan 2009-08-26 20:15:08

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 82EBC290 ZwEnumerateKey

Code 82EBA058 ZwFlushInstructionCache

Code 82F38C96 IofCallDriver

Code 82E8E71E IofCompleteRequest

Code 82EB6B2D ZwSaveKey

Code 82F4B72D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey 804DD6E8 5 Bytes JMP 82EB6B32

.text ntoskrnl.exe!ZwSaveKeyEx 804DD6FC 5 Bytes JMP 82F4B732

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82F38C9B

.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82E8E723

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 82EBC294

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82EBA05C

? win32k.sys:1 The system cannot find the file specified. !

? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01329315 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 013FDBCB C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 013FDD81 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01404832 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01361CA2 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0151E021 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0151DF51 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0151DFBE C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0151DE22 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0151DE84 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0151E084 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0151DEE6 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0140488E C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WININET.dll!HttpAddRequestHeadersA 63018275 5 Bytes JMP 0117000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[572] WININET.dll!HttpAddRequestHeadersW 630282B3 5 Bytes JMP 0126000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01329315 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01404832 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0151E021 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0151DF51 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0151DFBE C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0151DE22 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0151DE84 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0151E084 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0151DEE6 C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WININET.dll!HttpAddRequestHeadersA 63018275 5 Bytes JMP 00F7000A

.text C:\Program Files\Internet Explorer\Iexplore.exe[632] WININET.dll!HttpAddRequestHeadersW 630282B3 5 Bytes JMP 0106000A

.text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1512] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\Program Files\Internet Explorer\Iexplore.exe[572] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [01EC18FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

IAT C:\Program Files\Internet Explorer\Iexplore.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\Program Files\Internet Explorer\Iexplore.exe[632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1248] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\989D5BB0.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [572] 0x35670000

Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [572] 0x00B20000

Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [632] 0x00B20000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [632] 0x35670000

Library \\?\globalroot\systemroot\system32\UACmplepxourr.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [640] 0x00D00000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x35670000

Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x03900000

Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x10000000

Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x00720000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1248] 0x35670000

Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x10000000

Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x00720000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1420] 0x35670000

Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x10000000

Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x00720000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x35670000

Library \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x10000000

Library \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x00720000

Library \\?\globalroot\Device\__max++>\989D5BB0.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmpkdlkdoyb.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmpkdlkdoyb.sys

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClrwsklyavg.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpdaidaoytr.dat

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACgixjyibvog.db

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACmplepxourr.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmpkdlkdoyb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmpkdlkdoyb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClrwsklyavg.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAChnvymqfqqg.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpdaidaoytr.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACgixjyibvog.db

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwpbwskbvdk.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACmplepxourr.dll

---- Files - GMER 1.0.15 ----

File C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\UAC7c51.tmp 343040 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.dll 74240 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vir 74240 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vll 74240 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.dll 26624 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vir 26624 bytes executable

File C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vll 26624 bytes executable

File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\All Users 0 bytes

File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\Default User 0 bytes

File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\Jillian 0 bytes

File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\LocalService 0 bytes

File C:\Documents and Settings\Jillian\Application Data\CopyTrans\Logs\NetworkService 0 bytes

File C:\Documents and Settings\Jillian\Local Settings\Temp\UAC22d4.tmp 83968 bytes executable

File C:\Program Files\Canon\CameraWindow\MyCamera\ABBYY FineReader 5.0 Sprint 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\ABBYY FineReader 6.0 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Adobe 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\AdvancedDVDPlayer 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\AIM Music Link 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\AIM6 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\AIMTunes 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Apple Software Update 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Ares 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\ATI Technologies 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Avira 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Bonjour 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Broadcom 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Cheetah Burner 0 bytes

File C:\Program Files\Canon\CameraWindow\MyCamera\Common Files 0 bytes

File C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServices\Schemas\MailAccounts.syncschema\Contents\Resources\com.apple.Outlook.plist 408 bytes

File C:\Program Files\Common Files\Microsoft Shared\THEMES11\CASCADE\Info-Windows.plist 736 bytes

File C:\Program Files\Common Files\Microsoft Shared\THEMES11\CASCADE\Resources 0 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello DreaminBlue,

I highly suggest you stop downloading any other "tools" or "programs".

Tell me if Avira was "the" antivirus program that was on this system before this pc became infected.

Tell me if you have the XP CD for this system, in case we later need it.

Stay tuned for my later reply. But advise if you have another system which can be used for downloading purposes.

This sys has a rootkit infection, which is blocking the run of MBAM and others.

Link to post
Share on other sites

Hello DreaminBlue.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not DreaminBlue and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

If you cannot download with this system, use another system to get these tools. Put and save tools to the DESKTOP.

If the tools will not run in normal mode of XP, logoff and Restart, and use "Safe Mode with Networking".

do this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Next, Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Keep going forward and do NOT reching settings in Windows Explorer.

This next is an attempt to remove the rootkit.

Next, Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys
    C:\Windows\system32\UACd.sys
    C:\Windows\UACd.sys
    C:\WINDOWS\system32\UACmplepxourr.dll
    C:\WINDOWS\system32\UAChnvymqfqqg.dll
    C:\WINDOWS\system32\UAChnvymqfqqg.dll
    C:\WINDOWS\system32\UACwpbwskbvdk.dll
    C:\Documents and Settings\Jillian\Local Settings\Temp\UAC22d4.tmp
    C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\UAC7c51.tmp
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.dll
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vir
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vll
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.dll
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vir
    C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vll

    Drivers to delete:
    UACd
    UACd.sys
    UACmpkdlkdoyb.sys
    UACmpkdlkdoyb

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UACd.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UACd.sys
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\UACd.sys


    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

Reply with copy of C:\Avenger.txt

There will be much much more to do later.

Link to post
Share on other sites

Hello DreaminBlue,

I highly suggest you stop downloading any other "tools" or "programs".

Tell me if Avira was "the" antivirus program that was on this system before this pc became infected.

Tell me if you have the XP CD for this system, in case we later need it.

Stay tuned for my later reply. But advise if you have another system which can be used for downloading purposes.

I do have the CD for my Windows XP :)

I had Symantec when this virus occured and not Avira. I deleted it to download and run avira. I tried to download McAfee and failed. I do have another computer to use for downloads. I am at work now but will follow up with your other post around 5:30 pm. :D

Link to post
Share on other sites

Ran in normal mode.

avenger.txt

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\UACmpkdlkdoyb.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\system32\UACd.sys" not found!

Deletion of file "C:\Windows\system32\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Windows\UACd.sys" not found!

Deletion of file "C:\Windows\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\UACmplepxourr.dll" not found!

Deletion of file "C:\WINDOWS\system32\UACmplepxourr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" not found!

Deletion of file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" not found!

Deletion of file "C:\WINDOWS\system32\UAChnvymqfqqg.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\UACwpbwskbvdk.dll" not found!

Deletion of file "C:\WINDOWS\system32\UACwpbwskbvdk.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "C:\Documents and Settings\Jillian\Local Settings\Temp\UAC22d4.tmp" deleted successfully.

File "C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\UAC7c51.tmp" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.dll" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vir" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAChnvymqfqqg.vll" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.dll" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vir" deleted successfully.

File "C:\40E3EBCA\Backup\C_\WINDOWS\system32\UAClrwsklyavg.vll" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!

Deletion of driver "UACd" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "UACd.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACmpkdlkdoyb.sys" not found!

Deletion of driver "UACmpkdlkdoyb.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACmpkdlkdoyb" not found!

Deletion of driver "UACmpkdlkdoyb" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UACd.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UACd.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\UACd.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\UACd.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"

Deletion of folder "D:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "f:\recycler"

Deletion of folder "f:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Hello Dreaminblue.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Dreaminblue and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Next, using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents ofC:\Combofix.txt;
  • Eset scan log
  • the contents of OTL.txt
  • the contents of Extras.txt and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

[*]the contents ofC:\Combofix.txt;

ComboFix 09-08-28.06 - Jillian 08/29/2009 15:46.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.261 [GMT -4:00]

Running from: c:\documents and settings\Jillian\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\gyduru.lib

c:\documents and settings\All Users\Application Data\jezy.exe

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\All Users\Application Data\qapopeva.bin

c:\documents and settings\All Users\Application Data\tatuqiti.scr

c:\documents and settings\All Users\Application Data\uvujiradah.dl

c:\documents and settings\All Users\Application Data\vure.pif

c:\documents and settings\All Users\Application Data\ykomydu.pif

c:\documents and settings\All Users\Application Data\ysegev.scr

c:\documents and settings\All Users\Documents\bijojuzufo.dll

c:\documents and settings\All Users\Documents\celyz._dl

c:\documents and settings\All Users\Documents\ewuryruty.dll

c:\documents and settings\All Users\Documents\osagoteca.reg

c:\documents and settings\All Users\Documents\vysazugini._dl

c:\documents and settings\All Users\Documents\ydoboven.dl

c:\documents and settings\Jillian\Application Data\enenavor.sys

c:\documents and settings\Jillian\Application Data\ihykemivo.lib

c:\documents and settings\Jillian\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\Jillian\Application Data\miwubet.inf

c:\documents and settings\Jillian\Application Data\ofuhofycix.ban

c:\documents and settings\Jillian\Application Data\oqope.scr

c:\documents and settings\Jillian\Application Data\panip.reg

c:\documents and settings\Jillian\Application Data\puce.dl

c:\documents and settings\Jillian\Application Data\ywony.exe

c:\documents and settings\Jillian\Application Data\zyfitom.lib

c:\documents and settings\Jillian\Local Settings\Application Data\bopepaq.reg

c:\documents and settings\Jillian\Local Settings\Application Data\cekaduse.bat

c:\documents and settings\Jillian\Local Settings\Application Data\davuqo._dl

c:\documents and settings\Jillian\Local Settings\Application Data\egojem.exe

c:\documents and settings\Jillian\Local Settings\Application Data\ejaqubivod.scr

c:\documents and settings\Jillian\Local Settings\Application Data\ekago.bat

c:\documents and settings\Jillian\Local Settings\Application Data\eviwoc._dl

c:\documents and settings\Jillian\Local Settings\Application Data\quzukawyc.exe

c:\documents and settings\Jillian\My Documents\ZbThumbnail.info

c:\program files\Common Files\oziryveqi.dl

c:\program files\Common Files\sycudi.vbs

c:\program files\Common Files\ucaxi.vbs

c:\program files\Common Files\upuqumota.com

c:\program files\Common Files\vybobe.bin

c:\program files\Common Files\vytacawy.scr

c:\program files\Common Files\vywupiso._dl

c:\program files\Common Files\ycyzynazu._dl

c:\windows\abowom.vbs

c:\windows\adol.pif

c:\windows\braviax.exe

c:\windows\desktop

c:\windows\desktop\readme.rtf

c:\windows\ekefazexeg.sys

c:\windows\gixenomar.reg

c:\windows\imezafe.exe

c:\windows\Installer\66a7a56.msi

c:\windows\koqy.scr

c:\windows\oqiwa.dll

c:\windows\qawysicoq.bat

c:\windows\run.log

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\ecubar.bat

c:\windows\system32\uacinit.dll

c:\windows\system32\wisdstr.exe

c:\windows\ufevoc.inf

c:\windows\uqaco.sys

c:\windows\uxyfeh.bin

c:\windows\wiaserviv.log

c:\windows\winkey.drv

c:\windows\Winset.drv

c:\windows\wukeza.sys

c:\windows\ybekuveviv.pif

c:\windows\yhofesafof.dl

c:\windows\yxivuquf.bat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))

.

2009-08-29 19:02 . 2009-08-29 19:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-08-28 21:21 . 2009-08-28 21:22 -------- d-----w- c:\program files\ERUNT

2009-08-26 22:49 . 2009-08-26 22:49 -------- d-----w- c:\program files\Trend Micro

2009-08-25 21:31 . 2009-08-25 21:31 -------- d-sh--w- c:\documents and settings\Jillian\IECompatCache

2009-08-25 00:10 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-25 00:10 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-25 00:10 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-25 00:10 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\program files\Avira

2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-22 21:57 . 2009-08-22 21:57 -------- d-----w- c:\documents and settings\Jillian\Application Data\Malwarebytes

2009-08-22 21:54 . 2009-08-22 21:54 26624 ----a-w- c:\windows\system32\UAClrwsklyavg.dll

2009-08-22 04:26 . 2009-08-29 19:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-21 04:25 . 2009-08-23 01:17 -------- d-----w- C:\40E3EBCA

2009-08-20 23:23 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-08-20 22:56 . 2009-08-20 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-20 22:47 . 2009-08-20 22:47 12329 ----a-w- c:\windows\zagexiz.com

2009-08-20 00:37 . 2009-08-20 00:37 -------- d-sh--w- c:\documents and settings\Jillian\PrivacIE

2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\documents and settings\Jillian\IETldCache

2009-08-19 22:44 . 2009-08-19 22:45 -------- dc-h--w- c:\windows\ie8

2009-08-19 21:52 . 2009-08-19 22:34 174 ----a-w- c:\windows\system32\UACpdaidaoytr.dat

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\MSBuild

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\Reference Assemblies

2009-08-15 14:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-15 14:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-15 14:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-15 14:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-15 14:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-15 14:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-15 14:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-15 14:07 . 2009-08-15 14:07 -------- d-----w- C:\8befe50c44ca06c1022efcfe

2009-08-13 07:54 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 22:42 . 2007-11-08 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-28 03:10 . 2007-09-26 21:20 -------- d-----w- c:\documents and settings\Jillian\Application Data\OpenOffice.org2

2009-08-27 00:49 . 2009-08-27 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel

2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-20 23:05 . 2007-09-15 17:32 -------- d-----w- c:\program files\Symantec

2009-08-20 22:47 . 2009-08-20 22:47 10148 ----a-w- c:\program files\Common Files\hyjasyt.lib

2009-08-20 22:21 . 2009-08-20 22:21 18366 ----a-w- c:\documents and settings\All Users\Application Data\alijakyvas.dat

2009-08-20 00:43 . 2009-08-20 00:43 12375 ----a-w- c:\program files\Common Files\mujyryqij._sy

2009-08-20 00:43 . 2009-08-20 00:43 11307 ----a-w- c:\documents and settings\Jillian\Application Data\izavojapi.dat

2009-08-19 21:41 . 2009-08-19 21:40 784771 ----a-w- c:\windows\system32\xa.tmp

2009-08-19 21:41 . 2008-10-27 21:23 68584 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-08-18 03:15 . 2009-06-19 03:01 -------- d-----w- c:\program files\AIMTunes

2009-08-08 21:15 . 2007-09-25 22:03 -------- d-----w- c:\documents and settings\Jillian\Application Data\uTorrent

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 15:07 . 2007-09-25 20:44 -------- d-----w- c:\program files\iTunes

2009-07-26 15:06 . 2009-07-26 15:06 -------- d-----w- c:\program files\iPod

2009-07-26 15:06 . 2007-09-25 20:42 -------- d-----w- c:\program files\Common Files\Apple

2009-07-26 14:58 . 2009-07-26 14:56 -------- d-----w- c:\program files\QuickTime

2009-07-26 14:46 . 2009-07-26 14:46 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-23 22:02 . 2009-07-22 03:10 -------- d-----w- c:\program files\qatkko

2009-07-21 21:43 . 2007-09-13 15:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-17 20:52 . 2007-12-08 07:17 -------- d-----w- c:\documents and settings\Jillian\Application Data\Move Networks

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 22:25 . 2009-07-16 22:25 127872 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\uninstall.exe

2009-07-16 22:25 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll

2009-07-16 22:25 . 2009-07-16 22:25 1686272 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe

2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-03-16 22:28 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-07-15 15:55 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-07 02:44 . 2009-07-28 02:55 937984 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 02:44 . 2009-07-28 02:55 103424 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 02:44 . 2009-07-28 02:55 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 02:44 . 2009-07-28 02:55 4722688 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 02:44 . 2009-07-28 02:55 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 02:44 . 2009-07-28 02:54 344064 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-06-30 23:19 . 2009-07-05 21:16 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Plugins\npcoolirisplugin.dll

2009-06-30 23:19 . 2009-07-05 21:15 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll

2009-06-30 23:19 . 2009-07-05 21:15 4734976 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll

2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-19 02:56 . 2009-06-19 02:56 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2007-09-13 00:49 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6snjy2vtrre.sys]

@="\??\c:\windows\system32\drivers\6snjy2vtrre.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qy2vdwing2i.sys]

@="\??\c:\windows\system32\drivers\qy2vdwing2i.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrjill.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 8:10 PM 108289]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2007 5:28 PM 24652]

S2 6snjy2vtrre.sys;6snjy2vtrre.sys;\??\c:\windows\system32\drivers\6snjy2vtrre.sys --> c:\windows\system32\drivers\6snjy2vtrre.sys [?]

S2 gmolnx;gmolnx;c:\windows\system32\drivers\okhjgof.sys --> c:\windows\system32\drivers\okhjgof.sys [?]

S2 qy2vdwing2i.sys;qy2vdwing2i.sys;c:\windows\system32\drivers\qy2vdwing2i.sys [8/4/2004 6:00 AM 79872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-NordBull - c:\windows\msa.exe

HKCU-Run-EasyDVDMon - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-net - c:\windows\system32\net.net

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\kdc.uas

Trusted Zone: windows.com\time

FF - ProfilePath - c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 15:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2028)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\system32\ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Dell AIO Printer A920\dlbkbmon.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-29 16:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-29 20:00

Pre-Run: 25,273,696,256 bytes free

Post-Run: 28,957,212,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

331 --- E O F --- 2009-08-27 02:19

[*]Eset scan log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=8bf597026a6a7040ab7cc411f77f2310

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-29 09:10:45

# local_time=2009-08-29 05:10:45 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 37 100 98 3419525606304

# scanned=68918

# found=10

# cleaned=10

# scan_time=2096

C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\f.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\msa.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\system32\dllcache\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\system32\drivers\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\xa.tmp Win32/TrojanDownloader.Agent.OYU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[*]the contents of OTL.txt

OTL logfile created on: 8/29/2009 5:24:41 PM - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Jillian\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.23 Mb Total Physical Memory | 205.14 Mb Available Physical Memory | 40.13% Memory free

1.22 Gb Paging File | 0.97 Gb Available in Paging File | 79.27% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 26.93 Gb Free Space | 36.14% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JILLIAN-TROUT

Current User Name: Jillian

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2003/07/29 15:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe

PRC - [2005/07/22 22:40:54 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2005/07/22 22:43:46 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2005/07/22 22:52:30 | 00,225,353 | ---- | M] (Intel

Link to post
Share on other sites

[*]the contents ofC:\Combofix.txt;

ComboFix 09-08-28.06 - Jillian 08/29/2009 15:46.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.261 [GMT -4:00]

Running from: c:\documents and settings\Jillian\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\gyduru.lib

c:\documents and settings\All Users\Application Data\jezy.exe

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\All Users\Application Data\qapopeva.bin

c:\documents and settings\All Users\Application Data\tatuqiti.scr

c:\documents and settings\All Users\Application Data\uvujiradah.dl

c:\documents and settings\All Users\Application Data\vure.pif

c:\documents and settings\All Users\Application Data\ykomydu.pif

c:\documents and settings\All Users\Application Data\ysegev.scr

c:\documents and settings\All Users\Documents\bijojuzufo.dll

c:\documents and settings\All Users\Documents\celyz._dl

c:\documents and settings\All Users\Documents\ewuryruty.dll

c:\documents and settings\All Users\Documents\osagoteca.reg

c:\documents and settings\All Users\Documents\vysazugini._dl

c:\documents and settings\All Users\Documents\ydoboven.dl

c:\documents and settings\Jillian\Application Data\enenavor.sys

c:\documents and settings\Jillian\Application Data\ihykemivo.lib

c:\documents and settings\Jillian\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\Jillian\Application Data\miwubet.inf

c:\documents and settings\Jillian\Application Data\ofuhofycix.ban

c:\documents and settings\Jillian\Application Data\oqope.scr

c:\documents and settings\Jillian\Application Data\panip.reg

c:\documents and settings\Jillian\Application Data\puce.dl

c:\documents and settings\Jillian\Application Data\ywony.exe

c:\documents and settings\Jillian\Application Data\zyfitom.lib

c:\documents and settings\Jillian\Local Settings\Application Data\bopepaq.reg

c:\documents and settings\Jillian\Local Settings\Application Data\cekaduse.bat

c:\documents and settings\Jillian\Local Settings\Application Data\davuqo._dl

c:\documents and settings\Jillian\Local Settings\Application Data\egojem.exe

c:\documents and settings\Jillian\Local Settings\Application Data\ejaqubivod.scr

c:\documents and settings\Jillian\Local Settings\Application Data\ekago.bat

c:\documents and settings\Jillian\Local Settings\Application Data\eviwoc._dl

c:\documents and settings\Jillian\Local Settings\Application Data\quzukawyc.exe

c:\documents and settings\Jillian\My Documents\ZbThumbnail.info

c:\program files\Common Files\oziryveqi.dl

c:\program files\Common Files\sycudi.vbs

c:\program files\Common Files\ucaxi.vbs

c:\program files\Common Files\upuqumota.com

c:\program files\Common Files\vybobe.bin

c:\program files\Common Files\vytacawy.scr

c:\program files\Common Files\vywupiso._dl

c:\program files\Common Files\ycyzynazu._dl

c:\windows\abowom.vbs

c:\windows\adol.pif

c:\windows\braviax.exe

c:\windows\desktop

c:\windows\desktop\readme.rtf

c:\windows\ekefazexeg.sys

c:\windows\gixenomar.reg

c:\windows\imezafe.exe

c:\windows\Installer\66a7a56.msi

c:\windows\koqy.scr

c:\windows\oqiwa.dll

c:\windows\qawysicoq.bat

c:\windows\run.log

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\ecubar.bat

c:\windows\system32\uacinit.dll

c:\windows\system32\wisdstr.exe

c:\windows\ufevoc.inf

c:\windows\uqaco.sys

c:\windows\uxyfeh.bin

c:\windows\wiaserviv.log

c:\windows\winkey.drv

c:\windows\Winset.drv

c:\windows\wukeza.sys

c:\windows\ybekuveviv.pif

c:\windows\yhofesafof.dl

c:\windows\yxivuquf.bat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\logevent.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))

.

2009-08-29 19:02 . 2009-08-29 19:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-08-28 21:21 . 2009-08-28 21:22 -------- d-----w- c:\program files\ERUNT

2009-08-26 22:49 . 2009-08-26 22:49 -------- d-----w- c:\program files\Trend Micro

2009-08-25 21:31 . 2009-08-25 21:31 -------- d-sh--w- c:\documents and settings\Jillian\IECompatCache

2009-08-25 00:10 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-25 00:10 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-25 00:10 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-25 00:10 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\program files\Avira

2009-08-25 00:10 . 2009-08-25 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-22 21:57 . 2009-08-22 21:57 -------- d-----w- c:\documents and settings\Jillian\Application Data\Malwarebytes

2009-08-22 21:54 . 2009-08-22 21:54 26624 ----a-w- c:\windows\system32\UAClrwsklyavg.dll

2009-08-22 04:26 . 2009-08-29 19:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-21 04:25 . 2009-08-23 01:17 -------- d-----w- C:\40E3EBCA

2009-08-20 23:23 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-08-20 22:56 . 2009-08-20 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-08-20 22:47 . 2009-08-20 22:47 12329 ----a-w- c:\windows\zagexiz.com

2009-08-20 00:37 . 2009-08-20 00:37 -------- d-sh--w- c:\documents and settings\Jillian\PrivacIE

2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-19 23:01 . 2009-08-19 23:01 -------- d-sh--w- c:\documents and settings\Jillian\IETldCache

2009-08-19 22:44 . 2009-08-19 22:45 -------- dc-h--w- c:\windows\ie8

2009-08-19 21:52 . 2009-08-19 22:34 174 ----a-w- c:\windows\system32\UACpdaidaoytr.dat

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\MSBuild

2009-08-15 14:08 . 2009-08-15 14:08 -------- d-----w- c:\program files\Reference Assemblies

2009-08-15 14:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-15 14:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-15 14:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-15 14:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-15 14:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-15 14:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-15 14:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-15 14:07 . 2009-08-15 14:07 -------- d-----w- C:\8befe50c44ca06c1022efcfe

2009-08-13 07:54 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 22:42 . 2007-11-08 14:20 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-28 03:10 . 2007-09-26 21:20 -------- d-----w- c:\documents and settings\Jillian\Application Data\OpenOffice.org2

2009-08-27 00:49 . 2009-08-27 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel

2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-20 23:13 . 2007-09-15 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-20 23:05 . 2007-09-15 17:32 -------- d-----w- c:\program files\Symantec

2009-08-20 22:47 . 2009-08-20 22:47 10148 ----a-w- c:\program files\Common Files\hyjasyt.lib

2009-08-20 22:21 . 2009-08-20 22:21 18366 ----a-w- c:\documents and settings\All Users\Application Data\alijakyvas.dat

2009-08-20 00:43 . 2009-08-20 00:43 12375 ----a-w- c:\program files\Common Files\mujyryqij._sy

2009-08-20 00:43 . 2009-08-20 00:43 11307 ----a-w- c:\documents and settings\Jillian\Application Data\izavojapi.dat

2009-08-19 21:41 . 2009-08-19 21:40 784771 ----a-w- c:\windows\system32\xa.tmp

2009-08-19 21:41 . 2008-10-27 21:23 68584 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-08-18 03:15 . 2009-06-19 03:01 -------- d-----w- c:\program files\AIMTunes

2009-08-08 21:15 . 2007-09-25 22:03 -------- d-----w- c:\documents and settings\Jillian\Application Data\uTorrent

2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 15:07 . 2007-09-25 20:44 -------- d-----w- c:\program files\iTunes

2009-07-26 15:06 . 2009-07-26 15:06 -------- d-----w- c:\program files\iPod

2009-07-26 15:06 . 2007-09-25 20:42 -------- d-----w- c:\program files\Common Files\Apple

2009-07-26 14:58 . 2009-07-26 14:56 -------- d-----w- c:\program files\QuickTime

2009-07-26 14:46 . 2009-07-26 14:46 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-23 22:02 . 2009-07-22 03:10 -------- d-----w- c:\program files\qatkko

2009-07-21 21:43 . 2007-09-13 15:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-17 20:52 . 2007-12-08 07:17 -------- d-----w- c:\documents and settings\Jillian\Application Data\Move Networks

2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 22:25 . 2009-07-16 22:25 127872 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\uninstall.exe

2009-07-16 22:25 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll

2009-07-16 22:25 . 2009-07-16 22:25 1686272 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe

2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-03-16 22:28 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-07-15 15:55 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-07 02:44 . 2009-07-28 02:55 937984 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 02:44 . 2009-07-28 02:55 103424 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 02:44 . 2009-07-28 02:55 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 02:44 . 2009-07-28 02:55 4722688 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 02:44 . 2009-07-28 02:55 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 02:44 . 2009-07-28 02:54 344064 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-06-30 23:19 . 2009-07-05 21:16 106496 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Plugins\npcoolirisplugin.dll

2009-06-30 23:19 . 2009-07-05 21:15 65536 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll

2009-06-30 23:19 . 2009-07-05 21:15 4734976 ----a-w- c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll

2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-19 02:56 . 2009-06-19 02:56 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe

2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Jillian\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2007-09-13 00:49 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6snjy2vtrre.sys]

@="\??\c:\windows\system32\drivers\6snjy2vtrre.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qy2vdwing2i.sys]

@="\??\c:\windows\system32\drivers\qy2vdwing2i.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrjill.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 8:10 PM 108289]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2007 5:28 PM 24652]

S2 6snjy2vtrre.sys;6snjy2vtrre.sys;\??\c:\windows\system32\drivers\6snjy2vtrre.sys --> c:\windows\system32\drivers\6snjy2vtrre.sys [?]

S2 gmolnx;gmolnx;c:\windows\system32\drivers\okhjgof.sys --> c:\windows\system32\drivers\okhjgof.sys [?]

S2 qy2vdwing2i.sys;qy2vdwing2i.sys;c:\windows\system32\drivers\qy2vdwing2i.sys [8/4/2004 6:00 AM 79872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-NordBull - c:\windows\msa.exe

HKCU-Run-EasyDVDMon - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-net - c:\windows\system32\net.net

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\kdc.uas

Trusted Zone: windows.com\time

FF - ProfilePath - c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\Firefox\Profiles\vgk6a90r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\Jillian\Application Data\Mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 15:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2028)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\system32\ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Dell AIO Printer A920\dlbkbmon.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-29 16:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-29 20:00

Pre-Run: 25,273,696,256 bytes free

Post-Run: 28,957,212,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

331 --- E O F --- 2009-08-27 02:19

[*]Eset scan log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=8bf597026a6a7040ab7cc411f77f2310

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-29 09:10:45

# local_time=2009-08-29 05:10:45 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 37 100 98 3419525606304

# scanned=68918

# found=10

# cleaned=10

# scan_time=2096

C:\40E3EBCA\Backup\C_\Documents and Settings\Jillian\Local Settings\Temp\f.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\msa.exe a variant of Win32/Kryptik.ADG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\system32\dllcache\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\40E3EBCA\Backup\C_\WINDOWS\system32\drivers\beep.sys a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\xa.tmp Win32/TrojanDownloader.Agent.OYU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[*]the contents of OTL.txt

OTL logfile created on: 8/29/2009 5:24:41 PM - Run 1

OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Jillian\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.23 Mb Total Physical Memory | 205.14 Mb Available Physical Memory | 40.13% Memory free

1.22 Gb Paging File | 0.97 Gb Available in Paging File | 79.27% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 26.93 Gb Free Space | 36.14% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JILLIAN-TROUT

Current User Name: Jillian

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2003/07/29 15:11:00 | 00,323,584 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe

PRC - [2005/07/22 22:40:54 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2005/07/22 22:43:46 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2005/07/22 22:52:30 | 00,225,353 | ---- | M] (Intel

Link to post
Share on other sites

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2731 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Added items

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.

There's still some stubborn malware laying about.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Delete the Combo-fix (red-lion icon) on your Desktop now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6snjy2vtrre.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qy2vdwing2i.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrjill.sys]

File::

C:\WINDOWS\ixiwyp._sy

C:\WINDOWS\System32\sowirepefo._sy

C:\WINDOWS\System32\zenyhat._sy

C:\WINDOWS\System32\zuxi._sy

C:\Program Files\Common Files\mujyryqij._sy

C:\WINDOWS\System32\UACgixjyibvog.db

C:\WINDOWS\System32\UACpdaidaoytr.dat

c:\windows\system32\xa.tmp

c:\windows\system32\drivers\6snjy2vtrre.sys

c:\windows\system32\drivers\qy2vdwing2i.sys

Folder::

c:\program files\PC_Antispyware2010

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.

2) Accept the agreement

3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )

4) For XP SP2-SP3, click the Install button when prompted

5) The necessary files will be downloaded and installed. Please have plenty of patience.

6) After Kaspersky AntiVirus Database is updated, look at the Scan box.

7) Click the My Computer line

8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Reply with the latest C:\Combofix.txt

the latest MBAM scan log

the Kaspersky scan log

and tell me, How is your system now ?

Link to post
Share on other sites

  • 4 weeks later...

This thread is closed due to lack of response. The procedures used here were specific to this system and only for this system. Do not apply them to another; doing so will likely damage your system.

If you are a casual observer and having same issues, please follow forum procedures and create your own New topic.

I'm infected - What do I do now?

Procedures to help resolve issues preventing MBAM from running

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.