can I delete System Security from XP system

I'm trying to scan nbmkmd.sys now

it's done

Filename: Nbmkmd.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 16 Jun 2009 02:28:50 (CET) Permalink

I runned it in my laptop not in my infected workin computer

Okay, the driver should be okay.

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Morpheus 5.2 (remove only)
Viewpoint Media Player

Now open a new notepad file.
Input this into the notepad file:

File::
d:\winnt\system32\internat.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-

DDS::
uStart Page = about:blank

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

can you tell me how I can fix Add/Remove programs in my laptop?

I can't open Add/Remove programs. it's halted

This OS is pretty messy. Is this a chinese OS or something? I noticed QQ software installed, and catchme seems to think there is a SP4 installed here. :hmm:

yes, QQ is installed here. smae function like skype. My win2000 is english version

I restarted my system. But Add/Remove program is not working. What can I do?

oh, my system is win2000 SP4

do you want me to execute your last instruction as follows

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Morpheus 5.2 (remove only)
Viewpoint Media Player


Now open a new notepad file.
Input this into the notepad file:


File::
d:\winnt\system32\internat.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-

DDS::
uStart Page = about:blank



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

COMBOFIX IS REALLY GARBAGE. MY OUTLOOK EXPRESS IS BROKEN AS WELL

IT'S 6.00.2800.1933 VERSION

I checked my outlook express. combofix deleted my e-mail account only.

I think a full format maybe needed here, because your logs are telling me it's XP, not 2000. Something might have not worked right when you put 2000 on this machine. ALL of the logs say XP.

I checked my most common programs. Only add/remove is broken. Could you help me to fix it first? thanks

I guess there might be a little confusion. I download combofix to my laptop. It's win2000 sp4 system. But my working PC installed winXP sp2 was infected by system security.

I just tried combofix in my laptop (win2000 sp4) & see how it works. But it made me in trouble & deleted my proper program & broken my add/remove program. So only the report from combofix is about my laptop. previous reports are from my working PC

except add/remove program, I have no problem with my laptop now

When combofix start to work, I saw he backuped my registry. Could we restore it by chance?

are you still here?

can I re-run combo-fix & try to restore my registry? I want to fix add/remove program

I really recommend you format your computer as you are saying its windows 200 when all of your logs are saying windows XP. A format will set your computer back to its factory settings making it easier to navigate through the system.

Now, don't care about my laptop. Let's come back to my working pc what it's infected by system security (winxp sp2 system). Please let me know what i haver to do next. Can't be format & re-install system. thanks

Which machine is which? I'm confused now.
If the infected machine IS XP and not this 2000 machine, please open a new topic.

I'M SORRY ABOUT THAT. YOU KNOW, I COULD NOT DOWNLOAD COMBOFIX YESTERDAY WHEN I USE MY WORKING PC (WINXP SP2). SO I WENT BACK HOME & DOWNLOADED IT FROM MY PERSONAL LAPTOP (WIN200 SP4). AFTER I DOWNLOADED IT, I TRIED TO RUN IT ON MY LAPTOP (WIN2000 SP4) FIRST. JUST WANT TO SEE HOW IT WORKS. BUT COMBOFIX DELETED MY PROPER PROGRAM & BROKEN ADD/REMOVE PROGRAM ON MY LAPTOP (WIN2000 SP4). I CAN'T FIX IT TILL NOW. ANYWAY, I WILL START A NEW TOPIC FOR MY PERSONAL LAPTOP TONIGHT. NOW, I JUST WANT TO DISCUSS WITH YOU ABOUT MY WORKING PC (WINXP SP2) WHAT IS INFECTED BY SYSTEM SECURITY. BUT I DON;T WANT TO RUN COMBOFIX ON MY WORKING PC. IT'S REALLY DANGEROURS SOFTWARE. DO YOU HAVE ANY SUGGESTION? THANKS & SORRY FOR CONFUSED YOU.

Please turn caps lock off, it's very hard to read and considered shouting.
I didn't know you were running it on 2000, and I didn't ask you to run it on 2000.

a) Combofix isn't made for 2000
b) Combofix IS dangerous if your going to use it without telling me.

We have other tools besides Combofix, like MBAM.

you know, I already installed MBAM in my working pc. But it can't be started. what can I do now? thanks

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so please upload it to rapidshare.com for me to see.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 11:23:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 84AB67FE ZwEnumerateKey
Code 8495416E ZwFlushInstructionCache
Code 845D11ED IofCallDriver
Code 847C552D IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEF9C 5 Bytes JMP 845D11F2
.text ntkrnlpa.exe!IofCompleteRequest 804EF02C 5 Bytes JMP 847C5532
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51D2 5 Bytes JMP 84954172
PAGE ntkrnlpa.exe!ZwEnumerateKey 806228DE 5 Bytes JMP 84AB6802

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[188] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B2000A
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[188] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08C4000A
.text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 09BC000A
.text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 09BD000A
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[252] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B1000A
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[252] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08B2000A
.text C:\Program Files\CA\eTrustITM\realmon.exe[264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08CC000A
.text C:\WINDOWS\system32\ctfmon.exe[292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 089D000A
.text C:\WINDOWS\system32\ctfmon.exe[292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08AF000A
.text C:\Acer\LANScope Agent\awServ.exe[300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0195000A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B3000A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08C5000A
.text C:\WINDOWS\system32\sistray.exe[320] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08BA000A
.text C:\WINDOWS\system32\sistray.exe[320] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08BB000A
.text C:\Program Files\Outlook Express\msimn.exe[328] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text C:\Program Files\CA\eTrustITM\InoRpc.exe[556] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A3000A
.text C:\Program Files\CA\eTrustITM\InoRT.exe[604] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text ...
.text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0097000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1096] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009F000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1096] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A0000A
.text C:\Acer\LANScope Agent\LockKM.exe[1500] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0117000A
.text C:\Acer\LANScope Agent\LockKM.exe[1500] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0118000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1596] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0084000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1596] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B6000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WININET.dll!HttpAddRequestHeadersA 771C411E 5 Bytes JMP 00C2000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WININET.dll!HttpAddRequestHeadersW 771CEF65 5 Bytes JMP 00CD000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00CEF9F0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00CF08A0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!send 71AB428A 5 Bytes JMP 00CF0780 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll

.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00CEFDA0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00CF0A60 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\WINDOWS\System32\alg.exe[2772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0084000A
.text C:\WINDOWS\System32\alg.exe[2772] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0085000A
.text C:\Program Files\Messenger\msmsgs.exe[3188] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A
.text C:\Program Files\Messenger\msmsgs.exe[3188] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08B6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WININET.dll!HttpAddRequestHeadersA 771C411E 5 Bytes JMP 08C1000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WININET.dll!HttpAddRequestHeadersW 771CEF65 5 Bytes JMP 08CC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 08CDF9F0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!connect 71AB406A 5 Bytes JMP 08CE08A0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!send 71AB428A 5 Bytes JMP 08CE0780 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 08CDFDA0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 08CE0A60 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\ud4ombv0.exe[3852] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08AC000A
.text C:\ud4ombv0.exe[3852] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08BE000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/2003/Vista/Computer Associates)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\Tcp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Tcp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACagxmmepxxuskbpr.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [992] 0x01420000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1252] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1372] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1868] 0x00CE0000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3424] 0x08CD0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys (*** hidden *** ) [SYSTEM] SKYNETjbgsilxt <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Sorry, I don't know how to use rapidshare.com. so I copy & past here for you. Thanks

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
SKYNETjbgsilxt
UACd.sys

Drivers to delete:
SKYNETjbgsilxt
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys
C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys
C:\WINDOWS\system32\UACagxmmepxxuskbpr.dll
C:\WINDOWS\system32\UACfkeafpcclvbnabb.dll
C:\ud4ombv0.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

once again, the download is stopped by my server. I have to go back to home & download it to my USB. I will come back tomorrow if this is only tools I can download now. thanks

I just start a new topic for my personal laptop. please check technicla & support forums. the subject is add/remove program in win2000. could you help me to fix it. thanks

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "SKYNETjbgsilxt" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "SKYNETjbgsilxt" deleted successfully.
Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys" deleted successfully.
File "C:\WINDOWS\system32\UACagxmmepxxuskbpr.dll" deleted successfully.
File "C:\WINDOWS\system32\UACfkeafpcclvbnabb.dll" deleted successfully.
File "C:\ud4ombv0.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

It seems my machine is fixed. I can print now & no error appear when I start. I can run Malwarebytes' Anti-Malware. Please check the following report from Malwarebytes' Anti-Malware. Thanks

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

6/17/2009 8:37:11 AM
mbam-log-2009-06-17 (08-37-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 137602
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\USER1\local settings\Temp\nsxremacwo.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\USER1\local settings\Temp\prun.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\USER1\local settings\Temp\UAC62d7.tmp (Trojan.FakeAV) -> No action taken.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\UACbnevdlmrmbfoewm.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\UACfkeafpcclvbnabb.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\UACtsqwefftvpfhtie.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACagxmmepxxuskbpr.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACfnoearmycrrxdkp.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACwygrsbfjecxnrgl.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (Trojan.Agent) -> No action taken.

Hello.
Please update the MBAM database (go into the update tab, and check for updates), re-scan, and remove everything found.
Post the newest log.

Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 2

6/17/2009 9:19:12 AM
mbam-log-2009-06-17 (09-19-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143211
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\10501094\10501094.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\axwrcnoems.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\dailybucks_install.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\nsxremacwo.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\UAC62d7.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACagxmmepxxuskbpr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbnevdlmrmbfoewm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACfkeafpcclvbnabb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACfnoearmycrrxdkp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtsqwefftvpfhtie.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACwygrsbfjecxnrgl.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

I run it again. I got a clean report as follows.

alwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 2

6/17/2009 9:34:14 AM
mbam-log-2009-06-17 (09-34-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143049
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Is my system clean now? What's next I have to do? By the way, I have to uninstall Malwarebytes' Anti-Malware from my working pc after it is complete clean. Do I need do anything before uninstallation? Thanks.

Lets make sure there are no any left overs:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, just let it cure whatever it finds...
  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings
  
• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
  
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

Last edited by Origin on 17th June 2009, 2:11 pm; edited 1 time in total

can not connect to server. shows me Page cannot be displayed. Any other address I can download?

Hello.
I want a DDS log to make sure the rootkit files are gone.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.a
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

thanks. my server stopped me to download it. Anyont I can download instead or I have to download from my personal laptop at home tonight? Thanks

Okay. No rush though, this should be fine, all looks good as of right now.

Ok. I will download tonight & come back to you tomorrow morning. Thank you very much for your great help.

Have a wonderful day!

need urgent help. I use google at IE6.0 brower. google listed what I checked. But the shows me as follows when I click some links. (some links are ok)

ERROR
INVALID SYNTAX
INVALID SYNTAX

I didn't have the similar problem before. Could you help me for this? Thanks

Hmm, could be malware related still. I'll wait to see the DDS log before doing anything else.