13 replies to this topic

[butterfly]

Malwarebytes' is detecting a trojan agent(uacinit.dll). It says delete on reboot,but it's still there. I've run it online,offline and in safe mode,but it's still there. Please help. Note-I am not tech savy.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[butterfly]

miekiemoes, on Jun 1 2009, 04:10 PM, said:

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

You have quoted my post.
To reply to a message, click the button below

[butterfly]

I'm sorry,I quoted your post by mistake. Thank you so much for all of your help. I follwed your
instructions,installed and ran ComboFix.exe and the trojan was gone. I then ran my Malwarebytes' malware(it found and removed 6 items)and my antivirus(Norton)and everything seemed fine. I had a bit of trouble getting Internet Explorer to run-I got an hourglass when I tried to do anything,but after a couple of tries it was fine. Tonight,it took me over an hour to get Internet explorer to run properly. Everytime I tried to click on or type in anything I kept getting an hourglass. Maybe I did something wrong last night. Well,here's the ComboFix Log:
ComboFix 09-05-31.06 - HP_Administrator 06/01/2009 18:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1641 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACikmtqrnomxsmjdn.sys
c:\windows\system32\UACacxgvveoyemalwo.log
c:\windows\system32\UACfqsotgmcjgouvgv.dat
c:\windows\system32\UACikxeadllqjpysub.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACndopxdrfrengxjc.dll
c:\windows\system32\UACnjxsmlgtusvexau.dll
c:\windows\system32\UACssyrjlkwbyhhfrb.dll
c:\windows\system32\UACufipclkaikpbonp.log
c:\windows\system32\UACwrsyotkkraifppx.dll
c:\windows\system32\UACxvtaollrexpdypb.log
E:\Autorun.inf
E:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-30 01:14 . 2009-05-30 01:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-28 00:03 . 2009-05-28 00:03 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-19 23:45 . 2009-05-19 23:45 -------- d-----w- C:\NSS
2009-05-19 23:40 . 2009-05-19 23:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-08 18:52 . 2009-05-08 18:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-05-08 18:51 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-08 18:51 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 18:51 . 2009-05-28 00:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-08 18:51 . 2009-05-08 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 18:45 . 2009-05-08 18:45 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\TeamViewer
2009-05-08 18:45 . 2009-05-08 18:45 -------- d-----w- c:\documents and settings\HP_Administrator\temp
2009-05-03 03:44 . 2009-05-03 03:44 -------- d-----w- c:\program files\iPod
2009-05-03 03:44 . 2009-05-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-03 03:32 . 2009-05-03 03:32 -------- d-----w- c:\program files\Bonjour
2009-05-03 03:31 . 2009-05-03 03:32 -------- d-----w- c:\program files\QuickTime
2009-05-03 03:30 . 2009-05-03 03:30 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Apple
2009-05-03 03:30 . 2009-05-03 03:30 -------- d-----w- c:\program files\Apple Software Update
2009-05-03 03:30 . 2009-05-03 03:44 -------- d-----w- c:\program files\Common Files\Apple
2009-05-03 03:30 . 2009-05-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 22:32 . 2007-12-28 20:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\WTablet
2009-06-01 22:32 . 2006-11-01 23:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-28 00:20 . 2009-02-27 22:29 -------- d-----w- c:\program files\CommentsBar_-_MySpace_Comments
2009-05-03 03:47 . 2006-12-28 18:04 -------- d-----w- c:\program files\iTunes
2009-04-08 09:28 . 2008-08-31 14:21 -------- d-----w- c:\program files\Norton 360
2009-04-08 07:15 . 2006-11-01 22:52 -------- d-----w- c:\program files\HP
2009-04-08 07:14 . 2009-04-08 07:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\WinBatch
2009-04-02 20:29 . 2009-04-02 20:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-01 02:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 07:50 . 2006-11-01 23:01 49152 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 04:00 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2475f4c-9372-46d3-a407-ff155aa1fb91}]
2009-05-28 00:20 2094616 ----a-w- c:\program files\CommentsBar_-_MySpace_Comments\tbCom1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1167241268\ee\AOLSoftware.exe" [2006-09-26 50736]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-07-25 57344]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-11-1 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1167241268\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1167241268\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [11/1/2006 7:02 PM 6656]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/1/2006 6:49 PM 82048]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 9:10 PM 101936]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [11/1/2006 6:48 PM 468768]
S2 rgrdvvn;rgrdvvn;c:\windows\system32\drivers\bszfpc.sys --> c:\windows\system32\drivers\bszfpc.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLAspSunset2 - c:\documents and settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
HKLM-Run-PCDrProfiler - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 18:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
Completion time: 2009-06-01 18:45
ComboFix-quarantined-files.txt 2009-06-01 22:44

Pre-Run: 204,620,697,600 bytes free
Post-Run: 204,968,386,560 bytes free

167 --- E O F --- 2009-06-01 06:33

[miekiemoes]

Hi,

Go to start > run and copy and paste the following command in the field:

sc delete rgrdvvn

Hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

For your IE running slow or starting slow, this could be an Add-on or your Norton 360 causing this.
To find out, disable the add-ons

To run Internet Explorer 7 without Add-ons, rightclick the IE7 icon present on your desktop and select: "Start without Add-ons"



In case that option is not present there, go to start > All Programs > Accessories > System Tools > Internet Explorer (No Add-ons)



This will start Internet Explorer 7 in the No-Add ons mode. This means that toolbars and Browser Helper Objects will be disabled.
So if your problem is solved when you use the No-Add on mode, this means that one of your Add ons is causing this.

To find out which one, * Open Internet Explorer, click the Tools button in the menu > Manage Add-ons > Enable or Disable Add-ons
This will open a new Window with the Add-ons currently loaded into Internet Explorer (that option should be selected by default under "Show")
Now, it's a matter of trial and error what exact Add-on is causing this, so select the first Add-on there and under settings below, select the "disable" radio button. Click Ok below and close your Internet Explorer in order to accept the changes.
Then open your Internet Explorer again and look if you're still having the same problem, if so - then disable the next Add-on there... and so on, until you figured out which Add-on exactly is causing your problem.


Let me know in your next reply how things are now.

[butterfly]

Hi,
I can't seem to delete ComboFix. I clicked START then run and a window appeared with open. I typed in the first command(sc delete rgrdvvn)and hit enter,then did the same with the second command. That just opened the ComboFix program. NOTE: I didn't copy and paste the commands,because I wasn't sure where to copy them from. I don't understand
how to do this. Just now,I tried to copy and paste the commands from here but the run window kept closing. Please help;I'm completely hopeless with computers.

[miekiemoes]

Quote

then did the same with the second command. That just opened the ComboFix program.

Yes, it's supposed to open it and it will then uninstall. Unless your Norton is interfering here.
You can also delete the Combofix icon from your desktop manually and the C:\Qoobox folder.

Let me know in your next reply how things are now.

[butterfly]

Hi,
Thank you again for all of your help. I figured out that I can just right click the ComboFix icon on my desktop and I have a delete option. Does that uninstall it? Also,should I check for IE7 add-ons before I delete the ComboFix(just in case I find malware)? Finally,I have 2 hard drives and when I boot up,my screen briefly shows the info.;non-raid disc,gig amount and 1(for quantity) for each one. Since I ran the Combo fix,one of them is always showing 0 not 1 for quantity. Sometimes it's the first,sometimes the second. Do you know why that would happen and should I be concerned? That's never happened before. Thank you in advance.

[butterfly]

Hi again,
My brother just told me that selecting the delete option from dektop icon won't uninstall the ComboFix program;it would only delete the icon. He said that once,when he had to install combofix he just downloaded OTCleanIt(from mybleepingcomputer.com)and that uninstalled ComboFix and cleaned his computer. Should I just do that? Now I'm confused.

[miekiemoes]

Hi,

Quote

Do you know why that would happen and should I be concerned? That's never happened before.

That's because the Recovery Console is installed now as well. Please don't worry about this.

For Combofix, as I said, you can delete it manually, so delete the icon on your desktop and delete the C:\Qoobox folder.
OtCleanIt does exactly the same, so no need for another 3rd party tool to delete a program manually if you can rightclick and select to delete as well

[butterfly]

Hi,
OK,I just want to be certain that I do this correctly. First,I Right Click ComboFix icon(on my desktop)
and choose delete. Then,I go to my C:Qoobox folder and delete that. At that point,ComboFix is uninstalled? Is the recovery console uninstalled too? Also,when I checked the files in Qoobox folder,
it had one file which I'm not certain should be there(snapshot@2009-06_01_22_4);it's 1,299kb. Of the other four files,one is 8kb,the other 3kb and the other two are empty. The snapshot file just seems large by comparison. I'm afraid I'll lose photos. How can I tell if it's supposed to be in that folder?

I did as you instructed and ran my IE7 without add-ons. It was fine. When I checked,I had 42 Add-ons. I know I'm supposed to go through each one until I find the one/ones causing problem. My question,when I disable each one will it still be listed to enable afterward?

Thank you

[miekiemoes]

Hi,

Yes, rightclick the icon and delete it, then rightclick the Qoobox folder and delete it as well. The Recovery console won't be uninstalled, because I recommend it stays, this in case for future problems.

Quote

it had one file which I'm not certain should be there(snapshot@2009-06_01_22_4);it's 1,299kb. Of the other four files,one is 8kb,the other 3kb and the other two are empty. The snapshot file just seems large by comparison. I'm afraid I'll lose photos. How can I tell if it's supposed to be in that folder?

All those files should be there. There should be more in that qoobox folder though, like a quarantine folder etc... Just browse that Qoobox folder and you'll see that there are no photos or whatever in there.

Quote

My question,when I disable each one will it still be listed to enable afterward?

Yes, but they will be listed as disabled then.
I would start with the Norton ones first and disable them, because I think it's one of them being the culprit.

[miekiemoes]

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.