Win32/Cryptor Virus Has a Grip on me! Please Help!!!

I ran an AVG scan and the Win32/Cryptor Virus came up. This was after I had noticed my CPU running almost constantly at 100%. I have a McAfee subscription through Comcast and my pc wasn't allowing me to access the McAfee site so I tried through my Laptop and was able to get to McAfee just fine...this is when I thought something was really wrong. I called McAfee and they were NO Help, since I could not pull up the command prompt window they told me to talk to the computer manufacturer (Dell) they were no help either since my computer is out of warranty.

AVG will not update. When I try to run a scan the computer will occasionally "Blue Screen" during the scan.

Within the first 2 minutes of the scan the infection pops up.

I've already tried Malwarebytes and am having problems there also.

Here are the results from the last full scan on 5/11/09.

"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (2892)";"Virus found Win32/Cryptor";""
"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\svchost.exe (1212)";"Virus found Win32/Cryptor";""
"\\?\globalroot\systemroot\system32\UACfsrnxyejglmajyt.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (3472)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (2516)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (3932)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (960)";"Virus found Win32/Cryptor";""

I'll await further instructions.

Last edited by EricJ on 13th May 2009, 12:49 pm; edited 1 time in total (Reason for editing : Figured out how to copy and paste scan results to this post.)

Meh, leave Mcafee/Dell, I can do better.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Hijackthis Results...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:46 AM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} -
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 10427 bytes

Hello.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean. Please see here for instructions on how to disable it:

1. Right-click on the Ad-Watch icon in the system tray (located down by the system clock for most configurations)
2. Choose *Settings* from the dropdown menu
3. Under the *General Settings* tab turn OFF (red x) the option to "Load Ad-Watch at Startup" (if enabled)

4. Click on the *Status* button in the left hand menu
5. Turn OFF (red x) the option for *Regshield*
6. Close that window, then right-click on the Ad-Watch icon shield again down in the system tray next to the clock.
7. Choose *Turn off Ad-Watch* from the drop menu

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
  O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
  O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
  O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
  O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -
  O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} -
  O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
  O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
  O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
  O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} -
  O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} -
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Ad-Aware?Ad-Watch did not have a *Settings* option when I right-clicked on it, it did have a *Disable Ad-Watch Live!* option, is this the option to use?

Yep.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Unable to install Malwarebytes. When I double click on the setup icon an Hourglasss pops up like it is going to open, then disappears and nothing else happens. What should I do now?

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

• Please download RootRepeal.zip from here.
  
• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/14 14:32
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF439A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B52000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF141B000 Size: 45056 File Visible: No
Status: -

Name: UACbqhohxllldbbaom.sys
Image Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys
Address: 0xF469A000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACbqhqbcrgeoxujrk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdqbwuljiufvoqvf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACepoonjxehuqvngw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfsrnxyejglmajyt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpgrcykcjkxtkipj.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrtlwawirgdowgix.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACycmuwqvnylksdpq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eric\Local Settings\Temp\UACb50a.tmp
Status: Invisible to the Windows API!

SSDT
-------------------
SYSENTER/INT2E Hooked [0x0046a530]!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: winlogon.exe (PID: 664) Address: 0x006a0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: winlogon.exe (PID: 664) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: services.exe (PID: 720) Address: 0x00660000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: services.exe (PID: 720) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: lsass.exe (PID: 732) Address: 0x006f0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: lsass.exe (PID: 732) Address: 0x007e0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Ati2evxx.exe (PID: 936) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Ati2evxx.exe (PID: 936) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 956) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 956) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1060) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1060) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1168) Address: 0x00800000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1168) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1296) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1296) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1432) Address: 0x007c0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1432) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: spoolsv.exe (PID: 1672) Address: 0x00b00000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: spoolsv.exe (PID: 1672) Address: 0x00a30000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 128) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 128) Address: 0x00b70000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ctfmon.exe (PID: 296) Address: 0x00940000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ctfmon.exe (PID: 296) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehtray.exe (PID: 116) Address: 0x00a10000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehtray.exe (PID: 116) Address: 0x00b30000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: jusched.exe (PID: 324) Address: 0x00cf0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: jusched.exe (PID: 324) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: stsystra.exe (PID: 136) Address: 0x00be0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: stsystra.exe (PID: 136) Address: 0x00cb0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 1140) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 1140) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: DLACTRLW.EXE (PID: 1288) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: DLACTRLW.EXE (PID: 1288) Address: 0x00a50000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktop.exe (PID: 1272) Address: 0x00a80000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktop.exe (PID: 1272) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: hpcmpmgr.exe (PID: 1408) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: hpcmpmgr.exe (PID: 1408) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: HPWuSchd2.exe (PID: 1416) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: HPWuSchd2.exe (PID: 1416) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: AppleMobileDeviceService.exe (PID: 1500) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: AppleMobileDeviceService.exe (PID: 1500) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: OneTouch.exe (PID: 1540) Address: 0x00b50000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: OneTouch.exe (PID: 1540) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktopIndex.exe (PID: 1620) Address: 0x00a20000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktopIndex.exe (PID: 1620) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: MMDiag.exe (PID: 1640) Address: 0x00c50000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: MMDiag.exe (PID: 1640) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgwdsvc.exe (PID: 868) Address: 0x00740000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgwdsvc.exe (PID: 868) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: MXOALDR.EXE (PID: 1760) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: MXOALDR.EXE (PID: 1760) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: GoogleDesktopDisplay.exe (PID: 1808) Address: 0x003e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: GoogleDesktopDisplay.exe (PID: 1808) Address: 0x00b00000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehRecvr.exe (PID: 1848) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehRecvr.exe (PID: 1848) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: apdproxy.exe (PID: 1868) Address: 0x00af0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: apdproxy.exe (PID: 1868) Address: 0x00bc0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: ehSched.exe (PID: 1920) Address: 0x00630000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: ehSched.exe (PID: 1920) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: realsched.exe (PID: 1928) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: realsched.exe (PID: 1928) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: mim.exe (PID: 1916) Address: 0x00ae0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: mim.exe (PID: 1916) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: jqs.exe (PID: 400) Address: 0x00760000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: jqs.exe (PID: 400) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: iTunesHelper.exe (PID: 396) Address: 0x00be0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: iTunesHelper.exe (PID: 396) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgrsx.exe (PID: 572) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgrsx.exe (PID: 572) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: avgnsx.exe (PID: 1008) Address: 0x007d0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: avgnsx.exe (PID: 1008) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: isuspm.exe (PID: 2544) Address: 0x00ac0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: isuspm.exe (PID: 2544) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 2896) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 2896) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: svchost.exe (PID: 3000) Address: 0x007e0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: svchost.exe (PID: 3000) Address: 0x00890000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: mcrdsvc.exe (PID: 3212) Address: 0x00680000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: mcrdsvc.exe (PID: 3212) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: explorer.exe (PID: 3460) Address: 0x00c60000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: explorer.exe (PID: 3460) Address: 0x00d90000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: dllhost.exe (PID: 3744) Address: 0x006d0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: dllhost.exe (PID: 3744) Address: 0x007a0000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: alg.exe (PID: 4000) Address: 0x00820000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: alg.exe (PID: 4000) Address: 0x00750000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: iPodService.exe (PID: 2452) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: iPodService.exe (PID: 2452) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 896) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 896) Address: 0x00b70000 Size: 45056

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: AcroRd32.exe (PID: 2220) Address: 0x00a80000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: AcroRd32.exe (PID: 2220) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: RootRepeal.exe (PID: 3856) Address: 0x00ef0000 Size: 45056

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: RootRepeal.exe (PID: 3856) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACdqbwuljiufvoqvf.dll]
Process: Iexplore.exe (PID: 3540) Address: 0x00aa0000 Size: 40960

Object: Hidden Module [Name: UACbqhqbcrgeoxujrk.dll]
Process: Iexplore.exe (PID: 3540) Address: 0x00b70000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys

Also...A RootRepeal Error window popped up when scan was done that said: Could not get our real service table pointers!

Details--Warning - the number of SSDT entries from the kernel and the number on-disk are different (284 and 0)

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

I am in the process of following your last instructions. However, when Avenger did it's computer restart the Blue "Windows is starting up..." screen has been stuck for at least 5 minutes. I am able to move the cursor with the mouse. Is this normal or do I need to shut down and repeat your last instructions?

You can try rebooting, but this time, go to safe mode if you know how to do that.

If not, here's how:

• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

When I shut down and restarted I missed the f8 timing. However the Avenger window did come up with the following text:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACbqhohxllldbbaom.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


What's the next step Obi 1?

Try running MBAM now.

No Luck running MBAM. When I double click on the icon an hourglass quickly appears then disappears. Nothing happens. I also tried right-clicking and opening...nothing.

Disabled AVG 8.5. Downloaded Combofix. When I double-click on combofix and then select *Run* nothing happens.

Hello.
Delete your copy of Combofix you have right now.

Now do this. Re-download Combofix again, but before doing so, read this next instructions for renaming Combofix.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Followed latest instructions. ComboFix started it's process...then a "Caution" Window came up that said...

*BleepingComputer.com *ForoSpyware.com *GeeksTogo.com

ComboFix.exe may be downloaded from any of the above sites. If you have downloaded from some other site, there's a likely chance that it may be tainted. For peace of mind, I suggest that you delete the current copy and get a fresh one. I wants me to click *OK*.

What Now?

It's probably an error, because Combofix has some checks it does before running.

One is expiration date, if Combofix isn't the latest version and it detects a new version, it asks that it's downloaded now. Your error is probably because it's renamed, but still run it.

ComboFix 09-05-14.05 - Eric 05/15/2009 5:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.595 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\windows\system32\drivers\UACadwqstivftqsatt.sys
c:\windows\system32\drivers\UACbqhohxllldbbaom.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\UACbqhqbcrgeoxujrk.dll
c:\windows\system32\UACdqbwuljiufvoqvf.dll
c:\windows\system32\UACepoonjxehuqvngw.dat
c:\windows\system32\UACfsrnxyejglmajyt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpgrcykcjkxtkipj.log
c:\windows\system32\UACqqoivnnkrabxdmt.dll
c:\windows\system32\UACrtlwawirgdowgix.dll
c:\windows\system32\UACycmuwqvnylksdpq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 21:32 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-14 21:32 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 21:31 . 2009-05-14 21:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 13:04 . 2009-05-13 13:04 -------- d-----w c:\program files\Trend Micro
2009-05-12 01:25 . 2009-05-14 11:03 -------- d-----w c:\program files\Mwrbts
2009-05-11 23:27 . 2009-05-11 23:27 -------- d-----w c:\documents and settings\Eric\Application Data\Malwarebytes
2009-05-11 22:03 . 2009-05-13 12:30 -------- d--h--w C:\$AVG8.VAULT$
2009-05-11 03:16 . 2009-05-11 03:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-11 02:56 . 2009-05-11 02:56 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-11 02:56 . 2009-05-11 02:56 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-11 02:55 . 2009-05-11 02:55 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-11 02:55 . 2009-05-11 02:55 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-11 02:55 . 2009-05-11 03:14 -------- d-----w c:\documents and settings\Eric\Application Data\AVGTOOLBAR
2009-05-11 02:54 . 2009-05-11 02:54 -------- d-----w c:\program files\AVG
2009-05-11 02:54 . 2009-05-11 02:54 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-11 02:39 . 2009-05-11 02:30 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-11 02:30 . 2009-05-11 02:30 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-11 02:26 . 2009-05-11 02:26 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-11 02:26 . 2009-05-11 02:26 -------- d-----w c:\program files\Lavasoft
2009-05-11 02:26 . 2009-05-11 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-10 00:43 . 2009-05-10 00:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-07 01:09 . 2009-05-11 02:24 -------- d-----w c:\program files\Registry Easy
2009-05-01 23:17 . 2004-08-10 05:42 77824 ------w c:\windows\system32\brlmw03a.dll
2009-05-01 23:17 . 2009-05-01 23:17 34 ----a-w c:\windows\system32\BD2140.DAT
2009-04-20 23:33 . 2009-04-21 03:32 -------- d-----w C:\Iron 2 Iron Group_Chapel
2009-04-17 03:07 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 03:07 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 03:07 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 03:07 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 03:07 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 03:07 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 03:07 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 03:07 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 03:07 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 03:07 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 03:05 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 03:05 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 03:37 . 2006-04-13 15:56 -------- d-----w c:\program files\Google
2009-05-11 03:35 . 2008-01-05 01:37 -------- d-----w c:\program files\Yahoo!
2009-05-11 03:35 . 2006-04-20 02:05 -------- d-----w c:\program files\Common Files\Scanner
2009-05-11 02:07 . 2006-04-22 10:41 -------- d-----w c:\program files\Brother
2009-05-11 02:07 . 2006-04-13 15:44 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-11 02:06 . 2006-04-13 15:44 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-05-11 02:06 . 2006-04-13 15:44 -------- d-----w c:\program files\Dell
2009-05-10 14:53 . 2008-12-21 13:26 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-10 01:54 . 2006-04-13 15:54 -------- d-----w c:\program files\McAfee
2009-05-10 00:41 . 2006-04-13 15:39 -------- d-----w c:\program files\Java
2009-05-01 23:17 . 2006-04-22 10:41 -------- d-----w c:\program files\Brownie
2009-05-01 23:16 . 2006-04-13 15:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2006-12-17 17:41 . 2006-06-20 11:05 88 --sh--r c:\windows\system32\CF1CF066EF.sys
2008-06-11 11:39 . 2006-04-23 01:45 104 --sh--r c:\windows\system32\EF66F01CCF.sys
2008-06-11 11:39 . 2006-06-20 11:05 6686 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-10 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-13 169472]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-11 516440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\Eric\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-2-22 2301952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-5-14 28672]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-13 24576]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 02:56 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2009 9:30 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/10/2009 9:55 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/10/2009 9:56 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 9:54 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c548e726-deef-11dc-8346-001372c78f17}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:30]

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\n9q0alme.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 05:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\dllhost.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-15 6:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 11:06

Pre-Run: 13,694,070,784 bytes free
Post-Run: 15,204,970,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

228 --- E O F --- 2009-05-15 08:00


I am also getting a balloon popping up at the bottom of the page stating that my firewall is disabled. Should I turn it back on?

Hello.
Run the instructions in this next post and the balloon alert will stop.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusDisableNotify"=-
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
  "EnableFirewall"=dword:00000001
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Task Complete. What next?

Did the firewall come back on? if not, switch it back on manually.

Turned on Windows Firewall Manually.

What next?

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Thank You Very Much.

I just updated AVG and am running a scan. I will follow all of your preventative measures.

I also will do the same for my laptop even though it isn't infected.

I have McAfee also running on my laptop, do I uninstall McAfee before installing the free AVG?

Do I need to set new restore points?

Also, should I delete/uninstall all of the programs you had me download to diagnose and fix (ie: Hijack This, Avenger, RootRepeal, etc)?

Yes, uninstall Mcafee. It is dangerous to have two AV's running at the same time.

You can delete the tools we used.