Jump to content

uacinit.dll help


Recommended Posts

Uacinit.dll seems to refuse to be deleted even on reboot and it brings more and more problems in after it. Please help me with the removal of it. Thanks in advance!

Malwarebytes' Anti-Malware 1.40

Database version: 2710

Windows 5.1.2600 Service Pack 3

8/28/2009 4:02:34 PM

mbam-log-2009-08-28 (16-02-34).txt

Scan type: Quick Scan

Objects scanned: 84371

Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:11:57 PM, on 8/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.206.201.8 osadwarekill.microsoft.com

O1 - Hosts: 91.206.201.8 osadwarekill.com

O1 - Hosts: 91.206.201.8 www.osadwarekill.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\lose.bat.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab

O18 - Filter hijack: text/html - {0537b63c-7bb5-41d7-b495-955ede66f1c1} - (no file)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 5254 bytes

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only,

the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Link to post
Share on other sites

Here is the log from combo fix.

ComboFix 09-09-03.02 - High Ordinator 09/03/2009 12:39.1.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2978 [GMT -7:00]

Running from: c:\documents and settings\High Ordinator\Desktop\AV\yoyo.bat.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Shared

c:\program files\Shared\lib.sig

c:\windows\system32\Data

c:\windows\system32\drivers\UACiqxjcfqpxu.sys

c:\windows\system32\UACdpmqxxtarg.dll

c:\windows\system32\UACgrcrltoblu.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmycixgkgwy.dll

c:\windows\system32\UACnridibqhky.db

c:\windows\system32\UACwvjnvrewem.dll

c:\windows\system32\UACxsaftlwowx.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2009-08-23 17:57 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-23 17:57 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-23 17:57 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-23 17:57 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-23 17:57 . 2009-08-23 17:57 -------- d-----w- c:\program files\Avira

2009-08-23 17:57 . 2009-08-23 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-23 17:53 . 2009-08-23 17:53 -------- d-----w- c:\program files\Trend Micro

2009-08-22 21:40 . 2009-08-22 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-08-13 18:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-12 23:44 . 2009-08-12 23:44 -------- d-----w- c:\documents and settings\High Ordinator\Local Settings\Application Data\Mozilla

2009-08-09 17:26 . 2009-08-09 17:26 -------- d-----w- c:\windows\Sun

2009-08-08 05:13 . 2009-08-08 05:13 0 ----a-w- c:\windows\nsreg.dat

2009-08-08 05:13 . 2009-08-08 05:13 -------- d-----w- c:\documents and settings\High Ordinator\Local Settings\Application Data\Flock

2009-08-08 05:13 . 2009-08-08 05:13 -------- d-----w- c:\documents and settings\High Ordinator\Application Data\Flock

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 23:49 . 2009-07-27 06:41 -------- d-----w- c:\program files\Creative

2009-08-22 21:56 . 2009-07-27 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-05 09:01 . 2007-07-27 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 02:01 . 2009-08-04 02:01 -------- d-----w- c:\program files\MSBuild

2009-08-04 02:01 . 2009-08-04 02:01 -------- d-----w- c:\program files\Reference Assemblies

2009-08-04 01:54 . 2009-08-04 01:54 -------- d-----w- c:\program files\JRE

2009-08-04 01:54 . 2009-08-04 01:54 -------- d-----w- c:\program files\OpenOffice.org 3

2009-08-04 01:54 . 2009-08-04 01:54 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-04 01:54 . 2009-08-04 01:54 -------- d-----w- c:\program files\Java

2009-08-03 20:36 . 2009-07-27 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-07-27 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-30 05:04 . 2009-07-30 05:04 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-07-30 05:00 . 2009-07-27 17:57 -------- d-----w- c:\documents and settings\High Ordinator\Application Data\vlc

2009-07-30 03:41 . 2009-07-30 03:41 -------- d-----w- c:\program files\WMV9_VCM

2009-07-27 17:56 . 2009-07-27 17:56 -------- d-----w- c:\program files\vlc-1.0.0

2009-07-27 17:54 . 2009-07-27 17:54 -------- d-----w- c:\program files\AbiSuite2

2009-07-27 17:24 . 2009-07-27 06:42 -------- d--h--w- c:\program files\Creative Installation Information

2009-07-27 08:30 . 2009-07-27 08:30 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-27 08:25 . 2009-07-27 08:25 -------- d-----w- c:\documents and settings\High Ordinator\Application Data\Malwarebytes

2009-07-27 08:25 . 2009-07-27 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-27 07:44 . 2009-07-27 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-07-27 07:20 . 2009-07-27 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-27 07:16 . 2009-07-27 07:16 -------- d-----w- c:\program files\AGEIA Technologies

2009-07-27 07:16 . 2009-07-27 07:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-27 07:16 . 2009-07-27 07:16 -------- d-----w- c:\program files\NVIDIA Corporation

2009-07-27 07:16 . 2009-07-27 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-07-27 07:13 . 2009-07-27 07:13 -------- d-----w- c:\program files\SystemRequirementsLab

2009-07-27 07:09 . 2009-07-27 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2009-07-27 07:01 . 2009-07-27 06:07 12328 ----a-w- c:\documents and settings\High Ordinator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-27 06:59 . 2009-07-27 06:59 -------- d-----w- c:\documents and settings\High Ordinator\Application Data\Creative

2009-07-27 06:57 . 2009-07-27 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative

2009-07-27 06:46 . 2009-07-27 06:46 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-27 06:29 . 2009-07-27 06:29 -------- d-----w- c:\program files\ASUS

2009-07-27 06:29 . 2009-07-27 06:08 -------- d-----w- c:\program files\Common Files\InstallShield

2009-07-27 06:27 . 2009-07-27 06:27 -------- d-----w- c:\program files\Attansic

2009-07-27 06:24 . 2009-07-27 06:24 -------- d-----w- c:\program files\Realtek

2009-07-27 06:24 . 2009-07-27 06:24 315392 ----a-w- c:\windows\HideWin.exe

2009-07-27 06:15 . 2009-07-27 06:15 -------- d-----w- c:\program files\Intel

2009-07-27 06:14 . 2009-07-27 06:14 -------- d-----w- c:\documents and settings\High Ordinator\Application Data\Logitech

2009-07-27 06:13 . 2009-07-27 06:13 -------- d-----w- c:\program files\Common Files\LogiShrd

2009-07-27 06:13 . 2009-07-27 06:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2009-07-27 06:13 . 2009-07-27 06:13 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-27 06:13 . 2009-07-27 06:12 -------- d-----w- c:\program files\Common Files\Logitech

2009-07-27 06:12 . 2009-07-27 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech

2009-07-27 06:12 . 2009-07-27 06:12 -------- d-----w- c:\program files\Logitech

2009-07-27 02:05 . 2009-07-27 02:05 -------- d-----w- c:\program files\microsoft frontpage

2009-07-27 02:02 . 2009-07-27 02:02 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-07-17 19:01 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 20:35 . 2009-07-14 20:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe

2009-07-14 20:35 . 2009-07-14 20:35 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-07-14 20:35 . 2009-07-14 20:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll

2009-07-14 20:35 . 2009-07-14 20:35 3170304 ----a-w- c:\windows\system32\nvwss.dll

2009-07-14 20:34 . 2009-07-14 20:34 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-07-14 20:34 . 2009-07-14 20:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll

2009-07-14 20:34 . 2009-07-14 20:34 3547136 ----a-w- c:\windows\system32\nvgames.dll

2009-07-14 20:34 . 2009-07-14 20:34 188416 ----a-w- c:\windows\system32\nvmccss.dll

2009-07-14 20:34 . 2009-07-14 20:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-07-14 20:34 . 2009-07-14 20:34 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-07-14 20:34 . 2009-07-14 20:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll

2009-07-14 20:34 . 2009-07-14 20:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll

2009-07-14 20:34 . 2009-07-14 20:34 229376 ----a-w- c:\windows\system32\nvmccs.dll

2009-07-14 18:54 . 2009-07-27 07:16 2189856 ----a-w- c:\windows\system32\nvcuvid.dll

2009-07-14 18:54 . 2009-07-27 07:16 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-07-14 18:54 . 2009-07-27 07:16 2002944 ----a-w- c:\windows\system32\nvcuda.dll

2009-07-14 18:54 . 2009-07-27 07:16 1597690 ----a-w- c:\windows\system32\nvdata.bin

2009-07-14 18:54 . 2009-07-27 06:10 485920 ----a-w- c:\windows\system32\nvudisp.exe

2009-07-14 18:54 . 2007-08-13 21:14 10457088 ----a-w- c:\windows\system32\nvoglnt.dll

2009-07-14 18:54 . 2007-08-13 21:14 868352 ----a-w- c:\windows\system32\nvapi.dll

2009-07-14 18:54 . 2007-08-13 21:14 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-07-14 18:54 . 2007-08-13 21:14 151552 ----a-w- c:\windows\system32\nvcodins.dll

2009-07-14 18:54 . 2007-08-13 21:14 151552 ----a-w- c:\windows\system32\nvcod.dll

2009-07-14 18:54 . 2007-08-13 21:14 5842816 ----a-w- c:\windows\system32\nv4_disp.dll

2009-07-14 06:43 . 2007-07-27 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-10 14:01 . 2009-07-27 06:09 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-06-29 16:12 . 2007-07-27 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2007-07-27 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2007-07-27 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2007-07-27 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2007-07-27 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2007-07-27 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2009-07-27 02:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2007-07-27 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2009-07-27 08:14 132096 ----a-w- c:\windows\system32\wkssvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]

"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]

"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 1423360]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-04 148888]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-7-26 688128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/23/2009 10:57 AM 108289]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [7/26/2009 11:27 PM 38656]

S2 gdbsgzk;gdbsgzk;c:\windows\system32\drivers\fxhrrigh.sys --> c:\windows\system32\drivers\fxhrrigh.sys [?]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 12:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2964)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-03 12:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-03 19:44

Pre-Run: 83,131,293,696 bytes free

Post-Run: 83,437,473,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-08-13 19:09

Link to post
Share on other sites

----------------------------------------------------------------------------------------

Step 1

Fix With HJT

Close all other windows and then start HiJack This

Click Do A System Scan Only

When it has finished scanning put a check next to the following lines IF still present

O1 - Hosts: 91.206.201.8 osadwarekill.microsoft.com

O1 - Hosts: 91.206.201.8 osadwarekill.com

O1 - Hosts: 91.206.201.8 www.osadwarekill.com

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O18 - Filter hijack: text/html - {0537b63c-7bb5-41d7-b495-955ede66f1c1} - (no file)

- Close ALL open windows (especially Internet Explorer!)-

Now click Fix checked

Click yes to any prompts

Close HijackThis

----------------------------------------------------------------------------------------

Step 2

Malwarebytes' Anti-Malware

I notice that you have MBAM installed, please do the following

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform full scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • A fresh HJT log
  • MawareBytes Log
  • C:\Qoobox\Add-Remove Programs.txt
  • How are things running now ?

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.