Unsolved
This post is more than 5 years old
2 Posts
0
1256
Possible UACd.sys Trojan Can't open Malwarebytes’ Anti-Malware
I think I have the "windows-click" virus. I have read through this forum and tried to follow some of the suggestions. I ran the AFT-cleaner, but I am not able to execute. Malwarebytes’ Anti-Malware. Nothing happens. Here is my HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:45 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Accelerated&userName=stardancer571215&firstName=Elisabeth&qs=EECOLGOPCLBJOPNHCFKMDCICHJPANMECKGAMLCODDGFGHPJFFPBPEMPJLABHNJHCFKNLKBMPGGGBDHKGHEKHCHLCPMOPKPAKGBHMDJGKMPLBJGJHFCLLNAACPLIPJJPN|AJGNFMBEDGNMCNOPADEEAAGO
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=tw&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VIP Anonymity] C:\Program Files\VIP Defense\VIP Anonymity\VIPAnonymity.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Æô¶¯·ÉËÙÍÁ¶¹.lnk = C:\Program Files\Tudou\Tudou\TudouVa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Accelerated&userName=stardancer571215&firstName=Elisabeth&qs=EECOLGOPCLBJOPNHCFKMDCICHJPANMECKGAMLCODDGFGHPJFFPBPEMPJLABHNJHCFKNLKBMPGGGBDHKGHEKHCHLCPMOPKPAKGBHMDJGKMPLBJGJHFCLLNAACPLIPJJPN|AJGNFMBEDGNMCNOPADEEAAGO
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.38/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://contentpurity.net/xp/ScanFile.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_4.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Microsoft Security Center Extension (msscenter) - Unknown owner - C:\WINDOWS\system32\msscntr32.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6993 bytes
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
August 19th, 2009 09:00
Welcome :emotion-1:
I'm sorry we could not get to your problem sooner. Thank you for waiting patiently. Just so you do not have to wait longer, I suggest posting a HijackThis log at SpywareHammer.There are instructions HERE for posting at SpywareHammer. The site has many Microsoft MVP's on staff and helpers there may be able to assist you with cleaning and attaching requested files sooner than we can here.
Additional forums that offer malware removal can be found at this link in the recommended sites section on the left side of this page: http://hjt-data.trendmicro.com/hjt/analyzethis/index.php
Please post at only ONE so you do not tie up two or more helpers working on the same issue. Thank you for your patience and understanding.
Formosan80
2 Posts
0
August 19th, 2009 09:00
Hi,
Thank you for your post. I actually was able to solve the problem. Turns out I had a rootkit. I was able to download Anti-Malware onto my flash drive at work and then change the name to some random characters and then run it from the flash drive at home. This helped to removed the rootkit and the UACd.sys trojan. Thank you for your help. The messages on this forum were very helpful.
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
August 19th, 2009 10:00
Thank you for letting us know. It still may be a good idea to have a follow-up log reviewed to make sure there are no remnants lurking anywhere. but I'll leave that up to you. If you do choose to do that, let your helper know the name of the rootkit. He will be familiar with how that one behaves.
NOTE: The issue has been resolved, so this thread is now closed. Everyone else who is having a similar issue, please begin a New Message at the top of the forum.