Nothing working - Page 2

Question

PhilliePhan 171 Central Scrutinizer

14 Years Ago

Yeah that would be great if you could list the registry keys that need to be deleted.

Sorry for late reply - trying to cram in some extra work before the holidays.

First. let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

If you have backed up the registry with ERUNT, let's see if we can remove that key:

Click START > Run > Type regedit and hit OK to open registry editor.

Drill down to the following Key(s):
HKLM\SYSTEM\ControlSet001\Services\UACd.sys

If these are separate, then they'll need to go too:
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath
HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system

If any of these do in fact remain, RightClick them and try to delete them.
Be sure to delete only the EXACT keys listed above.

Let me know if you run into trouble.

Also, have a look for these files - they should be gone, but may as well verify it. You'll need to enable the viewing of hidden files, if that is not already done:
system32\drivers\UACmlsfkrshab.sys
system32\UACyewybordig.dll
system32\UACobuaiteytn.dll
system32\UACsxrogejixq.dat
system32\UACktapucvber.dll
system32\UACblqpqeupkd.dll

Let me know how you fare.

Happy Thanksgiving :)
PP

Edited 14 Years Ago by PhilliePhan because: n/a

PhilliePhan 171 Central Scrutinizer

14 Years Ago

Thankyou and Happy Thanksgiving to you aswell.
Start > Run Combofix /u could not be found. I think I removed all the Combofix files though,
Files are backed up with Erunt.
I checked the system/driver files listed and found nothing.
Registry keys listed: I found the first folder system/UACd but none of the seperate folders listed. system/uacd folder could not be deleted but only contained (Default) REG_SZ (value not set) which also could not be deleted.

No worries!
These particular keys can be a real pain to remove, even when orphaned.
It won't hurt anything to leave them there - there are likely (many) hundreds of orphaned keys accumulated in the registry. I am leery about trying to rip them out forcibly again given what occurred the last time...

If you didn't see HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules key or any "imagepath" values, it would seem that those have been cleaned previously.

-- How are things running now?

If OK, let's Flush System Restore. Just turn it off and back on as noted in the linky.
If you prefer, you can leave it off and use ERUNT - 'Course you have to remember to do it or set ERUNT to run automatically.

PP:)

Edited 14 Years Ago by PhilliePhan because: n/a

PhilliePhan 171 Central Scrutinizer

14 Years Ago

things seem to be running fine. Did the restore delete. anything else I need to do?

Yes - I think the machine is clean, but we should now make sure all the security measures are up to date.

The Kaspersky Internet Securty Suite on the machine is usually solid. It should be updated. If she allowed the license to lapse and does not want to renew, we'll have to replace it with a free option.

Please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.

That will give me the info I need to make any recommendations.

PP :)

PhilliePhan 171 Central Scrutinizer

14 Years Ago

It will be this weekend before I can getto it as I had to go out of town for work.

No worries! I'll be around.

PP:)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Stonehands 0 Light Poster · Answer 1 · 2009-11-19T04:51:20+00:00

New Log:
ComboFix 09-11-18.06 - kelli 11/18/2009 14:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.151 [GMT -8:00]
Running from: c:\documents and settings\kelli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kelli\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\UACmlsfkrshab.sys"
"c:\windows\system32\SET17.tmp"
"c:\windows\system32\UACblqpqeupkd.dll"
"c:\windows\system32\UACktapucvber.dll"
"c:\windows\system32\UACobuaiteytn.dll"
"c:\windows\system32\UACsxrogejixq.dat"
"c:\windows\system32\UACyewybordig.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\496a39afdbed2b24c2c8
c:\496a39afdbed2b24c2c8\$shtdwn$.req
c:\496a39afdbed2b24c2c8\mrt.exe
c:\496a39afdbed2b24c2c8\mrtstub.exe
C:\7982518c8b11f8a4e878
c:\7982518c8b11f8a4e878\$shtdwn$.req
c:\7982518c8b11f8a4e878\mrt.exe
c:\7982518c8b11f8a4e878\mrtstub.exe
C:\7f53c993687974ed3c0117715ee81f01
c:\7f53c993687974ed3c0117715ee81f01\$shtdwn$.req
c:\7f53c993687974ed3c0117715ee81f01\mrt.exe
c:\7f53c993687974ed3c0117715ee81f01\mrtstub.exe
C:\a49032d5139bca81285f7967b5
c:\a49032d5139bca81285f7967b5\$shtdwn$.req
c:\a49032d5139bca81285f7967b5\mrt.exe
c:\a49032d5139bca81285f7967b5\mrtstub.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 22:30 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-18 22:30 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-14 17:25 . 2009-11-14 17:25 -------- d-sh--w- c:\documents and settings\kelli\IECompatCache
2009-11-14 02:33 . 2009-11-14 02:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-14 02:14 . 2009-11-14 02:14 -------- d-sh--w- c:\documents and settings\kelli\PrivacIE
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\scripting
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\l2schemas
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\en
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\bits
2009-11-14 01:55 . 2009-11-14 01:55 -------- d-----w- c:\windows\EHome
2009-11-14 01:42 . 2009-11-14 01:42 -------- d-sh--w- c:\documents and settings\kelli\IETldCache
2009-11-14 01:12 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 01:12 . 2009-11-16 15:06 -------- d-----w- c:\windows\ie8updates
2009-11-14 01:11 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 01:11 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 01:08 . 2009-11-14 01:11 -------- dc-h--w- c:\windows\ie8
2009-11-14 00:37 . 2009-11-14 00:37 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-14 00:37 . 2009-11-14 00:37 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-11-14 00:37 . 2009-11-14 00:37 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-11-14 00:37 . 2009-11-14 00:37 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-11-14 00:37 . 2009-11-14 00:37 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-11-14 00:13 . 2009-11-17 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-14 00:13 . 2009-11-14 00:13 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-13 21:29 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-12 21:16 . 2009-11-12 21:16 -------- d-----w- c:\windows\IDB
2009-11-12 15:35 . 2009-11-12 15:35 -------- d-----w- c:\program files\Trend Micro
2009-11-12 05:52 . 2009-11-12 05:52 -------- d-----w- c:\documents and settings\kelli\Application Data\Malwarebytes
2009-11-12 05:50 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 05:50 . 2009-11-12 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 05:50 . 2009-11-12 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-12 05:50 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-11 17:09 . 2009-11-11 17:09 153 ----a-w- C:\DelUS.bat
2009-11-11 17:06 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-11 17:06 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-11 17:06 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-11-11 17:06 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-07 04:34 . 2009-11-07 04:34 128 ----a-w- c:\documents and settings\kelli\Local Settings\Application Data\fusioncache.dat
2009-11-07 04:03 . 2009-11-07 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-03 21:23 . 2009-08-12 11:19 111704 ----a-w- c:\windows\system32\PTDUWmcp64.dll
2009-11-03 21:23 . 2009-08-12 11:18 100952 ----a-w- c:\windows\system32\PTDUWmcp.dll
2009-11-03 21:23 . 2009-11-03 21:23 -------- d-----w- c:\program files\PANTECH
2009-11-03 21:23 . 2009-08-11 11:19 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2009-11-03 21:23 . 2009-11-03 21:23 -------- d-----w- c:\documents and settings\kelli\Application Data\InstallShield
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 01:35 . 2007-07-05 20:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 17:22 . 2006-05-29 17:39 35368 ----a-w- c:\documents and settings\kelli\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-14 02:37 . 2006-05-29 18:36 -------- d-----w- c:\program files\MSN Messenger
2009-11-14 02:16 . 2006-01-19 03:22 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-14 00:22 . 2009-11-14 00:22 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-11-11 21:55 . 2006-01-19 03:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 17:08 . 2006-01-19 03:54 -------- d-----w- c:\program files\TOSHIBA
2009-11-03 20:29 . 2006-01-19 04:29 -------- d-----w- c:\program files\Quicken
2009-09-11 14:18 . 2006-01-19 02:02 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-01-19 02:01 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-01-19 02:02 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-01-19 02:03 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbamm.exe" [2009-09-10 1312080]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2010 9.0.0.736\\English\\setup.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [7/13/2009 1:50 PM 87040]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4214974613-2618577155-3061291564-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-11-18 14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 22:48

Pre-Run: 56,490,139,648 bytes free
Post-Run: 56,343,539,712 bytes free

- - End Of File - - 23821C1E9EE4AEB69091BCA243FF8BA7

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 2 · 2009-11-19T06:07:55+00:00

OK - At quick glance, that looks better. A few more steps left, but before we do them:

-- How are things running?

-- I'd like a fresh GMER Scan. Delete you current copy of GMER and Download a fresh one.

Here's the canned spiel again......

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP :)

Stonehands 0 Light Poster · Answer 3 · 2009-11-19T10:21:11+00:00

Sorry about the delay but I was enjoying my 3hr commute home. :)
Scanning now.

Ying_Yang 0 Newbie Poster · Answer 4 · 2009-11-19T10:45:38+00:00

I'd say reinstall yes or yes, because even if you delete all viruses
(and that's not probable), windows its already harmed, and dont tell its not windows because its the only OS with virus-support :P

Now off course you probably have files you want to back up,
you can do so with puppy linux its a live linux its a very small distro;
download it in other PC.
burn it.

Use it with the ill computer
it will run in no time and then you can back up all you need
After it format all disks and reinstall.
PD: Give your friend an antivirus before setting files back to the computer, some will probably keep infected.

Stonehands 0 Light Poster · Answer 5 · 2009-11-19T11:01:42+00:00

Gmer log:
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 20:56:40
Windows 5.1.2600 Service Pack 3
Running: il7404xf.exe; Driver: C:\DOCUME~1\kelli\LOCALS~1\Temp\pgldqpob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA9AD36E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA9ADA86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA9AE60C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA9AEB40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA9ADD78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA9AC460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA9AEA18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA9ABD0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA9AE8D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA9AD102]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA9AEC72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA9B040E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA9AD886]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA9AE976]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA9ACA20]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA9ACCF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA9AE21C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA9B0980]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA9ACE3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA9ACEE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA9AE016]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA9AFEA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA9AC43C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA9AC44E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xAA9AD030]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAA9AEBE2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAA9ADB08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAA9AC604]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAA9AEAB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAA9AD56E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAA9B0438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAA9AED14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAA9AD492]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAA9ACF8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA9ACBB6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAA9AC8BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAA9B0128]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xAA9ACB34]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAA9AC0C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xAA9AF09E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xAA9AEF64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA9AFC30]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAA9AC224]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAA9B0860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAA9ABEC4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAA9AE312]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAA9AD984]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xAA9AF5F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAA9AFFA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAA9B04C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAA9AC744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAA9B05A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAA9B06D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAA9AFDD2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAA9AD6EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAA9AD63C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAA9AD7C8]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F2C820] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F2C820] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F2C820] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\ip6fw.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F7F2C6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs A9CC5400
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACmlsfkrshab.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACmlsfkrshab.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyewybordig.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACobuaiteytn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACsxrogejixq.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACktapucvber.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACblqpqeupkd.dll

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP516\A0107266.sys:1 8704 bytes executable

---- EOF - GMER 1.0.15 ----

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 6 · 2009-11-20T02:52:30+00:00

Sorry about the delay but I was enjoying my 3hr commute home. :)
Scanning now.

No worries - we're all busy with real life :)

For some reason, combofix is not getting this. It should...

-- Is the recovery console still installed?

Also, see if you can do this:
-- RightClick on MyComputer Icon and select Properties.
-- Select the Hardware Tab and Click on Device Manager.
-- Select the View option and Click on Show Hidden Drivers.
--Scroll down to Non Plug and Play Drivers and Click the + to expand the list.
-- In the list of drivers, RightClick on UACd.sys and Disable it. If asked to confirm, Click Yes.

REBOOT

Don't do anything else - just answer the recovery console question and let me know if the UACd step went OK.
And we'll go from there.

PP:)

Stonehands 0 Light Poster · Answer 7 · 2009-11-20T07:29:04+00:00

No worries - we're all busy with real life :)
For some reason, combofix is not getting this. It should...
-- Is the recovery console still installed?
Also, see if you can do this:
-- RightClick on MyComputer Icon and select Properties.
-- Select the Hardware Tab and Click on Device Manager.
-- Select the View option and Click on Show Hidden Drivers.
--Scroll down to Non Plug and Play Drivers and Click the + to expand the list.
-- In the list of drivers, RightClick on UACd.sys and Disable it. If asked to confirm, Click Yes.
REBOOT
Don't do anything else - just answer the recovery console question and let me know if the UACd step went OK.
And we'll go from there.
PP:)

UACD.sys is not shown in the non plug and play...I'm a dork.I'll do it on the correct PC this time.

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 8 · 2009-11-20T07:38:31+00:00

UACD.sys is not shown in the non plug and play

OK - those might just be registry remnants. I'm not certain.

We'll just try to pull them out manually - these particular keys can be tricky.

I'm heading out the door - I'll have to post the steps later.

Hang in there.

PP:)

Stonehands 0 Light Poster · Answer 9 · 2009-11-20T07:42:03+00:00

OK no UCAd.sys on correct computer either. There is on called Serial and has a ! next to it.

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 10 · 2009-11-20T08:43:30+00:00

OK no UCAd.sys on correct computer either. There is on called Serial and has a ! next to it.

OK - I think those might be remnants . . . . or very well hidden.

When I get home I'll put together something to remove them just to be safe.

PP:)

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 11 · 2009-11-20T10:27:12+00:00

When I get home I'll put together something to remove them just to be safe.

Ok - Let's do this:

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Drivers to delete:
UACd.sys

Files to delete:
C:\windows\system32\drivers\UACmlsfkrshab.sys
C:\windows\system32\UACyewybordig.dll
C:\windows\system32\UACobuaiteytn.dll
C:\windows\system32\UACsxrogejixq.dat
C:\windows\system32\UACktapucvber.dll
C:\windows\system32\UACblqpqeupkd.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

-- You may get some errors if the files are already gone. No worries.

PP:)

Stonehands 0 Light Poster · Answer 12 · 2009-11-22T01:26:17+00:00

Did as instructed. Computer shut down to reboot and did not restart. Power was on but would not run windows. Tried to restart normally with no success. Had to restart from last known good configuration. Start successful. Not sure if I should retry Avenger?

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 13 · 2009-11-22T06:16:57+00:00

Had to restart from last known good configuration. Start successful. Not sure if I should retry Avenger?

No - Don't try Avenger again. Something's hinky here.
Normally combofix will remove those with no problem, but it is not in this case.

-- Do you still have the Recovery Console installed?

Let's try this, instead:
Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- Please boot to Safe Mode (tap F8 at reboot - Do Not use msconfig!)

Once in Safe Mode:
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- If you get a prompt for scanning in Safe Mode, click OK.
-- AVP Tool will open.
-- Click the Manual Cure Tab
-- Click the Collect system information Button and let it run
-- When it finishes, it will say Completed. Report saved to LOG\avptool_syscheck.zip

Please save the log and post it for me.

THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily. Please post that for me.
Also, let me know if you ran into any problems with these steps.
Note: AVP Tool should "self-uninstall," so be sure to save the log before closing the program.

Please post me those two logs and let me know if you run into any trouble along the way.

PP:)

Stonehands 0 Light Poster · Answer 14 · 2009-11-23T23:00:55+00:00

Yes I still have the recovery console installed. Wow that scan took over 22hrs! It did find something and delete it...this is good! Here are the logs and thanks again for all your help.
Also not sure about the previous check that I did when the computer would not reboot. I was unaware that it had saved a log and weird that it saved it to the flash drive but I found this Bootex log file on the flash so I will post that aswell. Not sure if it is pertinent but I thought you should see it.

    Checking file system on E:
    The type of the file system is FAT32.


    One of your disks needs to be checked for consistency. You
    may cancel the disk check, but it is strongly recommended
    that you continue.
    Windows will now check the disk.                         
    Volume Serial Number is 2B18-32E1
    Windows has checked the file system and found no problems.
         15620160 KB total disk space.
               16 KB in 1 folders.
             9296 KB in 6 files.
         15610832 KB are available.

            16384 bytes in each allocation unit.
           976260 total allocation units on disk.
       975677 allocation units available on disk.

Scan
----
Scanned:    572896
Detected:   1
Untreated:  0
Start time: 11/22/2009 10:06:22 AM
Duration:   22:12:19
Finish time:    11/23/2009 8:18:41 AM


Detected
--------
Status  Object
------  ------
deleted: Trojan program Rootkit.Win32.PMax.e    File: C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP516\A0107266.sys:1


Events
------
Time    Name    Status  Reason
----    ----    ------  ------


Statistics
----------
Object  Scanned Detected    Untreated   Deleted Moved to Quarantine Archives    Packed files    Password protected  Corrupted
------  ------- --------    ---------   ------- ------------------- --------    ------------    ------------------  ---------


Settings
--------
Parameter   Value
---------   -----
Security Level  Recommended
Action  Prompt for action when the scan is complete
Run mode    Manually
File types  Scan all files
Scan only new and changed files No
Scan archives   All
Scan embedded OLE objects   All
Skip if object is larger than   No
Skip if scan takes longer than  No
Parse email formats No
Scan password-protected archives    No
Enable iChecker technology  No
Enable iSwift technology    No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search    No
Use heuristic analyzer  Yes


Quarantine
----------
Status  Object  Size    Added
------  ------  ----    -----


Backup
------
Status  Object  Size
------  ------  ----

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 15 · 2009-11-24T09:26:40+00:00

Everything looks OK outside of those (orphaned) registry keys. It's very odd to me that neither MBAM or combofix removed them.
I imagine the associated files are long gone.
We can try to remove those keys manually, if you feel up to poking around the registry......

-- Since you had to restore the compy, please update and run MBAM again.

-- These two need to be uninstalled. Update them to the latest, more secure versions at their respective sites:

Adobe Reader 7.0
J2SE Runtime Environment 5.0 Update 4

http://www.java.com/en/
http://www.adobe.com/products/reader/

I suggest removing this as well:
Viewpoint Media Player

Also, I suggest you/she back up her registry with ERUNT every month.
Especially if you want to try to remove those orphaned keys.

Please post the new MBAM log.

PP:)

Stonehands 0 Light Poster · Answer 16 · 2009-11-25T06:56:34+00:00

Yeah that would be great if you could list the registry keys that need to be deleted.
New Mbam log.

Malwarebytes' Anti-Malware 1.41
Database version: 3221
Windows 5.1.2600 Service Pack 3

11/23/2009 9:37:32 PM
mbam-log-2009-11-23 (21-37-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198219
Time elapsed: 55 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP524\A0117443.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP524\A0117431.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Stonehands 0 Light Poster · Answer 17 · 2009-11-26T11:14:05+00:00

Thankyou and Happy Thanksgiving to you aswell.
Start > Run Combofix /u could not be found. I think I removed all the Combofix files though,
Files are backed up with Erunt.
I checked the system/driver files listed and found nothing.
Registry keys listed: I found the first folder system/UACd but none of the seperate folders listed. system/uacd folder could not be deleted but only contained (Default) REG_SZ (value not set) which also could not be deleted.

Stonehands 0 Light Poster · Answer 18 · 2009-11-28T06:50:56+00:00

No worries!
These particular keys can be a real pain to remove, even when orphaned.
It won't hurt anything to leave them there - there are likely (many) hundreds of orphaned keys accumulated in the registry. I am leery about trying to rip them out forcibly again given what occurred the last time...
If you didn't see HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules key or any "imagepath" values, it would seem that those have been cleaned previously.
-- How are things running now?
If OK, let's Flush System Restore. Just turn it off and back on as noted in the linky.
If you prefer, you can leave it off and use ERUNT - 'Course you have to remember to do it or set ERUNT to run automatically.
PP:)

things seem to be running fine. Did the restore delete. anything else I need to do?

Stonehands 0 Light Poster · Answer 19 · 2009-11-30T21:23:01+00:00

Yes - I think the machine is clean, but we should now make sure all the security measures are up to date.
The Kaspersky Internet Securty Suite on the machine is usually solid. It should be updated. If she allowed the license to lapse and does not want to renew, we'll have to replace it with a free option.
Please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool
Great. Thanks again for all your help. It will be this weekend before I can get to it as I had to go out of town this week. Post as soon as possible.
Troy
* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).
- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.
That will give me the info I need to make any recommendations.
PP :)

It will be this weekend before I can getto it as I had to go out of town for work.