29 replies to this topic

[lilhokie]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:51 AM, on 8/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\tsnp2std.exe
C:\Windows\vsnp2std.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MP4 Player\Mp4Player.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PIXELA\ImageMixer3\HDDCameraMonitor.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\Windows\vsnp2std.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ImageMixer HDD Camera Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Update Service (gupdate1c9aa7d3acff170) (gupdate1c9aa7d3acff170) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 11821 bytes



Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/15/2009 8:32:28 AM
mbam-log-2009-08-15 (08-32-28).txt

Scan type: Quick Scan
Objects scanned: 93152
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

[lilhokie]

Since posting this, I rebooted my machine. Now it is telling me that I don't have Genuine Microsoft Software and it will only open a browser to let me see what to do. Did the HijackThis program cause this problem?

[Maurice Naggar]

Hello lil,

I seriously doubt that HJT would be the origin of the message regarding Genuine Microsoft Software. I highly suspect it is something else altogether.
Please advise if your pc has a Certificate of authenticty sticker on it's case.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=


Go here and download RootRepeal to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

[lilhokie]

Root Repeal received an error:

17:10:49: Unrecognized partition type 6 (0x6)!
17:10:49: Could not read system registry! Please contact the author!

This is the log file it created up to the point of the error:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/15 17:10
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x8CB70000 Size: 40960 File Visible: No Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x8CB7A000 Size: 147456 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9CDC0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETeofmlnks.sys
Image Path: C:\Windows\system32\drivers\SKYNETeofmlnks.sys
Address: 0x8C417000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1332 Status: Locked to the Windows API!

==EOF==

[Maurice Naggar]

Since this is on Vista, in most all the tools I will have you use, you will need to First, do a RIGHT-Click on the program shortcut, link, or the executable .... and then select RUN As Administrator
Please always remember that !!

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not lilhokie and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Start with this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Next, download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  C:\Windows\system32\drivers\SKYNETeofmlnks.sys
  
  Drivers to delete:
  SKYNETeofmlnks.sys
  SKYNETeofmlnks

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator

At the command-prompt window, type in the following to begin Combofix

Quote

Combo-Fix.exe

and press Enter key

• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once without asking me first.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.
=
RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt
& C:\Combofix.txt

[lilhokie]

Here's the text of avenger.txt. I'm continuing onto the next step of your instructions....

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys"
Deletion of file "C:\Windows\system32\drivers\SKYNETeofmlnks.sys" failed!
Status: 0xc0000156


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks.sys" not found!
Deletion of driver "SKYNETeofmlnks.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETeofmlnks" not found!
Deletion of driver "SKYNETeofmlnks" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[lilhokie]

Combo Fix ran for awhile and rebooted the machine a few times....
Before the 1st time, It asked me to jot down some files:
c:\windows\system32\drivers\UACrmsdaeinwl.sys
c:\windows\system32\UACvvbockrnyv.dll
c:\windows\system32\UACcjwxpwtskv.dll
c:\windows\system32\UACuveeagtjfc.dll
c:\windows\system32\UACsunwombpbj.db
c:\windows\system32\UACppqcaqaknv.dll
c:\windows\system32\UACiqbqdeoxtq.dll


After the 3rd time it rebooted, I got the message that an unauthorized change was made to windows. WHen I click on the "Learn More" button, it takes me to this link:
http://www.microsoft.com/genuine/downloads....1033&RFM=2


When this happened earlier, I removed Hijack this and the problem went away. My computer came with Windows Vista on it, it has the a Certificate of authenticity sticker on it's case. It's an Acer Aspire with and AMD Athelon processor.

[lilhokie]

When I close the browser that is opened after the Unauthorized change message, then click close, it takes me back to the login screen. It will not actually boot windows, it only allows me to get to a browser to view their knowledge base about the problem. I can then open another tab to reply here. Using the browser, I was able to find out that the file "c:\combofix.txt" does not exist, so it did not complete it's execution.

I'll wait to hear back from you before doing anything else.

[Maurice Naggar]

Do a new run of The Avenger

If you must, restart (reboot) your system fresh beforehand.

• Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  c:\windows\system32\drivers\UACrmsdaeinwl.sys
  c:\windows\system32\UACvvbockrnyv.dll
  c:\windows\system32\UACcjwxpwtskv.dll
  c:\windows\system32\UACuveeagtjfc.dll
  c:\windows\system32\UACsunwombpbj.db
  c:\windows\system32\UACppqcaqaknv.dll
  c:\windows\system32\UACiqbqdeoxtq.dll
  
  Drivers to delete:
  UACrmsdaeinwl.sys
  UACrmsdaeinwl
  UACr
  UACrserv
  UACd.sys
  UACd

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

• the contents of C:\Avenger.txt;
  
• the contents of OTL.txt;
  
• the contents of Extras.txt ; and
  
• the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[lilhokie]

Can I run Avenger in Safe mode? I think that will be the only way to boot the machine

[lilhokie]

FYI - I turned the computer off (instead of just doing a reboot) and then restarted. This time, windows opened fine and the combofix that I started last night is continuing to run. I will post the log (if it completes) and wait to hear from you before I run Avenger again.

[lilhokie]

Combo Fix Log:
ComboFix 09-08-10.06 - momanddad 08/16/2009 1:59.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1791.1059 [GMT -4:00]
Running from: C:\Combo-Fix.exe
Command switches used :: Combo-Fix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\desktop
c:\windows\desktop\Hooked on Phonics Learn to Read.lnk
c:\windows\Installer\2d2abdd.msi
c:\windows\run.log
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\UACrmsdaeinwl.sys
c:\windows\system32\UACcjwxpwtskv.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiqbqdeoxtq.dll
c:\windows\system32\UACppqcaqaknv.dll
c:\windows\system32\UACsunwombpbj.db
c:\windows\system32\UACuveeagtjfc.dat
c:\windows\system32\UACvvbockrnyv.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-16 06:09 . 2009-08-16 06:09 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-08-16 06:09 . 2009-08-16 06:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-16 05:44 . 2009-08-16 05:44 3124187 ----a-r- C:\Combo-Fix.exe
2009-08-16 05:33 . 2009-08-16 05:33 -------- d-----w- c:\program files\ERUNT
2009-08-15 20:38 . 2009-08-15 20:38 -------- d-----w- C:\RootRepeal
2009-08-15 20:34 . 2009-08-15 20:26 50688 ----a-w- C:\ATF-Cleaner.exe
2009-08-15 20:31 . 2009-08-15 20:31 -------- d-----w- c:\users\Guest\AppData\Local\AOL OCP
2009-08-15 12:35 . 2009-08-15 12:35 -------- d-----w- c:\program files\Trend Micro
2009-08-14 23:21 . 2009-08-14 23:21 -------- d-----w- c:\users\momanddad\AppData\Roaming\Malwarebytes
2009-08-14 22:51 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 22:50 . 2009-08-14 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 22:50 . 2009-08-14 22:50 -------- d-----w- c:\progra~2\Malwarebytes
2009-08-14 22:50 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-14 21:36 . 2009-08-14 21:36 -------- d-----w- C:\Windows Antivirus Pro
2009-08-12 21:33 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 21:32 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 21:32 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 21:32 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 21:32 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 21:32 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 21:32 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 21:32 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-11 21:21 . 2009-08-11 21:21 -------- d-----w- c:\progra~2\Trymedia
2009-08-11 21:20 . 2009-08-11 21:20 -------- d-----w- c:\program files\Zylom Games
2009-08-11 21:20 . 2009-08-11 21:20 -------- d-----w- c:\progra~2\Zylom
2009-08-11 21:19 . 2009-08-11 21:19 -------- d-----w- c:\program files\RealArcade
2009-08-11 17:18 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-11 17:18 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-11 17:18 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-11 17:18 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-11 17:18 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-11 17:18 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-11 17:18 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-11 17:09 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-11 17:09 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-11 17:09 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-11 17:09 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-11 17:09 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-28 01:14 . 2009-07-28 01:19 -------- d-----w- c:\users\momanddad\AppData\Roaming\VideoReDoPlus
2009-07-28 01:14 . 2009-07-28 01:14 -------- d-----w- c:\program files\VideoReDoPlus
2009-07-28 00:55 . 2009-07-28 00:55 -------- d-----w- c:\program files\Womble Multimedia
2009-07-28 00:39 . 2009-07-28 00:39 1915520 ----a-w- c:\users\momanddad\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-19 13:56 . 2009-07-19 13:56 -------- d-----w- c:\progra~2\KingsIsle Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 22:35 . 2008-07-08 23:28 -------- d-----w- c:\progra~2\Google Updater
2009-08-14 22:57 . 2008-04-26 03:11 1356 ----a-w- c:\users\momanddad\AppData\Local\d3d9caps.dat
2009-08-13 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 21:20 . 2008-01-17 03:19 -------- d-----w- c:\program files\Google
2009-08-11 21:12 . 2008-07-27 22:36 -------- d-----w- c:\users\momanddad\AppData\Roaming\LimeWire
2009-07-31 23:47 . 2008-05-20 12:27 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 21:52 . 2009-08-11 17:07 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-11 17:07 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-11 17:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-11 17:07 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 13:56 . 2007-04-17 02:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-04 18:50 . 2008-12-14 00:37 76784 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-23 09:59 . 2008-01-11 20:09 76784 ----a-w- c:\users\momanddad\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-15 15:24 . 2009-07-14 19:52 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-14 19:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-14 19:52 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-14 19:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2008-02-12 01:39 . 2008-02-12 01:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-08 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-27 632048]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdc.exe" [2007-01-24 563080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-01-05 258048]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-02-15 4390912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\momanddad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
ImageMixer HDD Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer3\HDDCameraMonitor.exe [2008-1-11 2117632]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3E929F58-B38F-491F-A66F-C8B0E353B13B}"= UDP:c:\program files\Acer Zone\Acer Zone Main Page\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{AB5B5F73-0A18-4286-8E99-E999F366319E}"= TCP:c:\program files\Acer Zone\Acer Zone Main Page\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B04156E-1C6A-4DB0-97F6-82C7EAFA0E5C}"= c:\program files\Acer Zone\Acer Picture Slide DVD\component\CLSLDVD.exe:Cyberlink Picture Slide DVD workprocess
"{6CEEEB28-93A0-4763-A52E-60ED0672E029}"= c:\program files\Acer Zone\Acer Plug and Record\component\ARAWP.exe:Cyberlink Plug and Record ARA workprocess
"{33568BFC-3DE3-43EC-944A-C00B1A145A03}"= c:\program files\Acer Zone\Acer Plug and Record\component\DVAX2Process.exe:Cyberlink Plug and Record AVAX workprocess
"{DDF887FC-749F-4EC7-9EA4-15CA67DFAC76}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5CE4335C-48D9-4848-B832-15CE6BDF78DE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4B591CDA-4625-4150-9B2E-41825DF86257}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{DF7B5B63-97D0-428E-A574-E6CFC85D3D3D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{92C4DE06-A598-4C40-977B-615757F06414}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{06DCA968-5D2F-46C5-971B-B85E9D416EBD}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{27F2E536-0554-4B34-922A-4025C53B15A0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DFA46645-6E36-48C4-9FB3-0BF1B0C1DD2A}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{97DA21E9-1991-4AA0-A6ED-42258E229B8D}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{A36212B8-6517-4A3F-BC93-042E9D026A25}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{E3B85498-5E93-4B96-A7C4-8AFF0FFCF283}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{65686F21-6D20-4ED2-AD31-68293CA3B8D8}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A16BF96A-7C47-4759-A4CB-75B5E141625B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/14/2009 6:51 PM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [8/14/2009 6:50 PM 19096]
S2 gupdate1c9aa7d3acff170;Google Update Service (gupdate1c9aa7d3acff170);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 7:31 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
FF - ProfilePath - c:\users\MOMAND~1\AppData\Roaming\Mozilla\Firefox\Profiles\gqomymii.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\users\momanddad\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 13:13
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]
"imagepath"="\systemroot\system32\drivers\SKYNETeofmlnks.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETeofmlnks.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\System32\inetsrv\w3wp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-16 13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 17:21

Pre-Run: 77,145,481,216 bytes free
Post-Run: 76,945,141,760 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
276 --- E O F --- 2009-08-13 07:02

[lilhokie]

BTW - Thank you for all of your help so far.... It is truly appreciated.

[Maurice Naggar]

lilhokie, on Aug 16 2009, 12:25 PM, said:

BTW - Thank you for all of your help so far.... It is truly appreciated.

You are quite welcome. Glad to be of assistance.
That was a very good move on your part on powering off and getting Combofix to get going.

I'm modifying the Avenger scan below and adding a couple of other runs. The Combofix noted a bit of remnant of the rootkit and hopefully this next Avenger pass will complete the task.

• Right-click on avenger.exe and select Run As Administrator to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  c:\windows\system32\drivers\UACrmsdaeinwl.sys
  c:\windows\system32\drivers\SKYNETeofmlnks.sys
  c:\windows\system32\UACvvbockrnyv.dll
  c:\windows\system32\UACcjwxpwtskv.dll
  c:\windows\system32\UACuveeagtjfc.dll
  c:\windows\system32\UACsunwombpbj.db
  c:\windows\system32\UACppqcaqaknv.dll
  c:\windows\system32\UACiqbqdeoxtq.dll
  
  Registry keys to delete:
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]
  
  Drivers to delete:
  SKYNETedmvxtii
  UACrmsdaeinwl.sys
  UACrmsdaeinwl
  UACr
  UACrserv
  UACd.sys
  UACd

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2635 or later. The latest program version is 1.40

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

• Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded from these links:
  
  • Sysclean Package
    
  • Virus Pattern Files
    
  • Spyware Pattern Files

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Reply with copy of C:\Avenger.txt
the latest MBAM scan log
the Sysclean log

[lilhokie]

When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."

I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.

Was the dash not supposed to be in the script?

[lilhokie]

Avenger Log:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Sun Aug 16 17:36:25 2009

17:36:09: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETedmvxtii]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" not found!
Deletion of file "c:\windows\system32\drivers\UACrmsdaeinwl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete file "c:\windows\system32\drivers\SKYNETeofmlnks.sys"
Deletion of file "c:\windows\system32\drivers\SKYNETeofmlnks.sys" failed!
Status: 0xc0000156


Error: file "c:\windows\system32\UACvvbockrnyv.dll" not found!
Deletion of file "c:\windows\system32\UACvvbockrnyv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\UACcjwxpwtskv.dll" not found!
Deletion of file "c:\windows\system32\UACcjwxpwtskv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\UACuveeagtjfc.dll" not found!
Deletion of file "c:\windows\system32\UACuveeagtjfc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\UACsunwombpbj.db" not found!
Deletion of file "c:\windows\system32\UACsunwombpbj.db" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\UACppqcaqaknv.dll" not found!
Deletion of file "c:\windows\system32\UACppqcaqaknv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\UACiqbqdeoxtq.dll" not found!
Deletion of file "c:\windows\system32\UACiqbqdeoxtq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "SKYNETedmvxtii" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl.sys" not found!
Deletion of driver "UACrmsdaeinwl.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrmsdaeinwl" not found!
Deletion of driver "UACrmsdaeinwl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACr" not found!
Deletion of driver "UACr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACrserv" not found!
Deletion of driver "UACrserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!
Deletion of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[lilhokie]

I still need to run the Trend Micro Sysclean Package
MBAM Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 6.0.6001 Service Pack 1

8/16/2009 5:44:59 PM
mbam-log-2009-08-16 (17-44-59).txt

Scan type: Quick Scan
Objects scanned: 93562
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\momanddad\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[Maurice Naggar]

lilhokie, on Aug 16 2009, 04:39 PM, said:

When running avenger, after saying Yes to Are you sure you want to execute the script, I got the following Error: "Error: Invalid registry syntax in command: "[-HKEY_LOCAL_MACHINE_SYSTEM]ControlSet001\Services\SKYNETedmvxtii]" Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program. Skipping line. (Registry key deletion mode)."

I then selected OK, And OK to continue script execution. Everything else seemed to go as described in your instructions.

Was the dash not supposed to be in the script?

The dash was intended. We did ok. The rootkit service has been quashed.
Do not be concerned. Please keep on with the SYSCLEAN run and when done. post that log, and then await my next reply.

[lilhokie]

Here is the sysclean log. It's a little long and giving me problems pasting in one reply, so I'm going to split it up into a few replies.....
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/16/2009 21:43:42
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 366 (463626/463626 Patterns) (2009/08/16) (636624)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.366

Undet [ ]( ) in D:\$RECYCLE.BIN\S-1-5-21-2996678549-1730959963-12771951-1000\desktop.ini
Undet [ ]( ) in D:\20071229_regbackup.reg
Undet [ ]( ) in D:\20080104_regbackup.reg
Undet [ ]( ) in D:\20080112_regbackup.reg
Undet [ ]( ) in D:\Alawar\Arctic Quest 2\Alawar.ico
Undet [ ]( ) in D:\Alawar\Arctic Quest 2\Alawar.url

[lilhokie]

After all of these posts, I'm not even 1/4 of the way through the file. Is there another way to get it to you?

It continues through a long list of files and after the files, this is the end:

32248 files have been read.
32248 files have been checked.
32248 files have been scanned.
213422 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/16/2009 22:26:15 42 minutes 32 seconds (2552.82 seconds) has elapsed.(79.162 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*