Author Topic: UACd.sys Trojan (Read 10024 times)

Joop · « **on:** February 01, 2010, 10:52:55 AM »

Hi,

Since the beginning of the year I am experiencing problems on my computer (Windows/Vista SP2). Defender won't start, virus scanner won't run anymore, programs won't install, websites have 'broken links' and programs crash (ie GoogleToolbar).
Now last week, Vista suddenly told me that this was all due to a Trojan named UACD.sys, which seems to be extremely difficult to remove.

After consulting the web, I (a.o.) was guided to you guys. I studied 2 similar problems but since one of you mentioned these problems are unique, I decided to post my own.

I already went through your start up cookbook and will append the logs for SAS/MBAM and HJT as text to this message
I installed AVAST as a virus scanner, ran CCleaner and updated Java. Note that this was all over the span of 2/3 days.

I had to rename all my downloads/executables to get them started at all, so whatever is running the show on my computer blocks by certain keywords or exact names???

Any help is greatly appreciated!

Thanks in advance
-----------------------

Logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2010 at 09:00 PM

Application Version : 4.33.1000

Core Rules Database Version : 4541
Trace Rules Database Version: 2353

Scan type : Complete Scan
Total Scan Time : 02:10:11

Memory items scanned : 656
Memory threats detected : 0
Registry items scanned : 8033
Registry threats detected : 169
File items scanned : 184240
File threats detected : 81

Adware.Tracking Cookie
   C:\Users\eigenaar\AppData\Roaming\Microsoft\Windows\Cookies\eigenaar@atdmt[1].txt
   C:\Users\Iris\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@adtech[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@advertising[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@apmebf[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@atdmt[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@atdmt[3].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@collective-media[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@doubleclick[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@fastclick[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@media6degrees[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@mediaplex[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@overture[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@revsci[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@serving-sys[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@tacoda[2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@tradedoubler[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@trafficmp[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@weborama[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@yieldmanager[1].txt
   C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Cookies\lana@zedo[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@advertentiezoeker[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@apmebf[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@atdmt[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@imrworldwide[2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@mediamarkt[2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\tim@weborama[1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Tim\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\xbox\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

Rogue.SmartProtector
   C:\Windows\system32\srcr.dat

Trojan.Agent/Gen-Alureon
   HKU\.DEFAULT\Software\h8srt
   HKU\S-1-5-19\Software\h8srt
   HKU\S-1-5-20\Software\h8srt
   HKU\S-1-5-21-2280200681-2884239558-2584356172-1000\Software\h8srt
   HKU\S-1-5-18\Software\h8srt
   HKLM\Software\H8SRT
   HKLM\Software\H8SRT#affid
   HKLM\Software\H8SRT#subid
   HKLM\Software\H8SRT#type
   HKLM\Software\H8SRT#build
   HKLM\Software\H8SRT#cmddelay
   HKLM\Software\H8SRT#slrd
   HKLM\Software\H8SRT#slrm
   HKLM\Software\H8SRT\connections
   HKLM\Software\H8SRT\connections#925b3039
   HKLM\Software\H8SRT\connections#784d43e
   HKLM\Software\H8SRT\connections#9d0ed33a
   HKLM\Software\H8SRT\connections#dfbfa93a
   HKLM\Software\H8SRT\connections#1feaa9a4
   HKLM\Software\H8SRT\disallowed
   HKLM\Software\H8SRT\disallowed#trsetup.exe
   HKLM\Software\H8SRT\disallowed#ViewpointService.exe
   HKLM\Software\H8SRT\disallowed#ViewMgr.exe
   HKLM\Software\H8SRT\disallowed#SpySweeper.exe
   HKLM\Software\H8SRT\disallowed#SUPERAntiSpyware.exe
   HKLM\Software\H8SRT\disallowed#SpySub.exe
   HKLM\Software\H8SRT\disallowed#SpywareTerminatorShield.exe
   HKLM\Software\H8SRT\disallowed#SpyHunter3.exe
   HKLM\Software\H8SRT\disallowed#XoftSpy.exe
   HKLM\Software\H8SRT\disallowed#SpyEraser.exe
   HKLM\Software\H8SRT\disallowed#otscanit.exe
   HKLM\Software\H8SRT\disallowed#mbam.exe
   HKLM\Software\H8SRT\disallowed#mbam-setup.exe
   HKLM\Software\H8SRT\disallowed#flash_disinfector.exe
   HKLM\Software\H8SRT\disallowed#otmoveit2.exe
   HKLM\Software\H8SRT\disallowed#smitfraudfix.exe
   HKLM\Software\H8SRT\disallowed#prevxcsifree.exe
   HKLM\Software\H8SRT\disallowed#download_mbam-setup.exe
   HKLM\Software\H8SRT\disallowed#cbo_setup.exe
   HKLM\Software\H8SRT\disallowed#spywareblastersetup.exe
   HKLM\Software\H8SRT\disallowed#rminstall.exe
   HKLM\Software\H8SRT\disallowed#sdsetup.exe
   HKLM\Software\H8SRT\disallowed#vundofixsvc.exe
   HKLM\Software\H8SRT\disallowed#daft.exe
   HKLM\Software\H8SRT\disallowed#gmer.exe
   HKLM\Software\H8SRT\disallowed#catchme.exe
   HKLM\Software\H8SRT\disallowed#mcpr.exe
   HKLM\Software\H8SRT\disallowed#sdfix.exe
   HKLM\Software\H8SRT\disallowed#hjtinstall.exe
   HKLM\Software\H8SRT\disallowed#fixpolicies.exe
   HKLM\Software\H8SRT\disallowed#emergencyutil.exe
   HKLM\Software\H8SRT\disallowed#techweb.exe
   HKLM\Software\H8SRT\disallowed#GoogleUpdate.exe
   HKLM\Software\H8SRT\disallowed#windowsdefender.exe
   HKLM\Software\H8SRT\disallowed#spybotsd.exe
   HKLM\Software\H8SRT\disallowed#klif.sys
   HKLM\Software\H8SRT\disallowed#pctssvc.sys
   HKLM\Software\H8SRT\disallowed#pctcore.sys
   HKLM\Software\H8SRT\disallowed#mchinjdrv.sys
   HKLM\Software\H8SRT\disallowed#szkg.sys
   HKLM\Software\H8SRT\disallowed#sasdifsv.sys
   HKLM\Software\H8SRT\disallowed#saskutil.sys
   HKLM\Software\H8SRT\disallowed#sasenum.sys
   HKLM\Software\H8SRT\disallowed#ccHPx86.sys
   HKLM\Software\H8SRT\disallowed#mbamswissarmy.sys
   HKLM\Software\H8SRT\disallowed#mbam.sys
   HKLM\Software\H8SRT\disallowed#acs.exe
   HKLM\Software\H8SRT\disallowed#op_mon.exe
   HKLM\Software\H8SRT\disallowed#shWebSv.exe
   HKLM\Software\H8SRT\disallowed#ashmaiSv.exe
   HKLM\Software\H8SRT\disallowed#imapi.exe
   HKLM\Software\H8SRT\disallowed#aswUpdSv.exe
   HKLM\Software\H8SRT\disallowed#ashServ.exe
   HKLM\Software\H8SRT\disallowed#ashDisp.exe
   HKLM\Software\H8SRT\disallowed#avast.exe
   HKLM\Software\H8SRT\disallowed#avgemc.exe
   HKLM\Software\H8SRT\disallowed#avgwdsvc.exe
   HKLM\Software\H8SRT\disallowed#avgyray.exe
   HKLM\Software\H8SRT\disallowed#avgrsx.exe
   HKLM\Software\H8SRT\disallowed#avcenter.exe
   HKLM\Software\H8SRT\disallowed#avgnt.exe
   HKLM\Software\H8SRT\disallowed#sched.exe
   HKLM\Software\H8SRT\disallowed#avguard.exe
   HKLM\Software\H8SRT\disallowed#Combofix.exe
   HKLM\Software\H8SRT\disallowed#FAMEH32.exe
   HKLM\Software\H8SRT\disallowed#FCH32.exe
   HKLM\Software\H8SRT\disallowed#fsaua.exe
   HKLM\Software\H8SRT\disallowed#fsav32.exe
   HKLM\Software\H8SRT\disallowed#fsdfwd.exe
   HKLM\Software\H8SRT\disallowed#fsgk32.exe
   HKLM\Software\H8SRT\disallowed#fsgk32st.exe
   HKLM\Software\H8SRT\disallowed#fsguidll.exe
   HKLM\Software\H8SRT\disallowed#FSM32.EXE
   HKLM\Software\H8SRT\disallowed#FSMA32.EXE
   HKLM\Software\H8SRT\disallowed#FSMB32.EXE
   HKLM\Software\H8SRT\disallowed#fspc.exe
   HKLM\Software\H8SRT\disallowed#fsqh.exe
   HKLM\Software\H8SRT\disallowed#fssm32.exe
   HKLM\Software\H8SRT\disallowed#fsus.exe
   HKLM\Software\H8SRT\disallowed#avp.exe
   HKLM\Software\H8SRT\disallowed#nod32krn.exe
   HKLM\Software\H8SRT\disallowed#nod32kui.exe
   HKLM\Software\H8SRT\disallowed#CCSVCHST.exe
   HKLM\Software\H8SRT\disallowed#AluSchedulerSvc.exe
   HKLM\Software\H8SRT\disallowed#oahlp.exe
   HKLM\Software\H8SRT\disallowed#oasrv.exe
   HKLM\Software\H8SRT\disallowed#oacat.exe
   HKLM\Software\H8SRT\disallowed#oaui.exe
   HKLM\Software\H8SRT\disallowed#PF6.exe
   HKLM\Software\H8SRT\disallowed#pfsvc.exe
   HKLM\Software\H8SRT\disallowed#SCFManager.exe
   HKLM\Software\H8SRT\disallowed#SavService.exe
   HKLM\Software\H8SRT\disallowed#ALsvc.exe
   HKLM\Software\H8SRT\disallowed#SAVAdminService.exe
   HKLM\Software\H8SRT\disallowed#ALMon.exe
   HKLM\Software\H8SRT\disallowed#SCFService.exe
   HKLM\Software\H8SRT\disallowed#SAService.exe
   HKLM\Software\H8SRT\disallowed#McNASvc.exe
   HKLM\Software\H8SRT\disallowed#McProxy.exe
   HKLM\Software\H8SRT\disallowed#Mcshield.exe
   HKLM\Software\H8SRT\disallowed#MpfSrv.exe
   HKLM\Software\H8SRT\disallowed#msksrver.exe
   HKLM\Software\H8SRT\disallowed#mcagent.exe
   HKLM\Software\H8SRT\disallowed#SiteAdv.exe
   HKLM\Software\H8SRT\disallowed#mcmscsvc.exe
   HKLM\Software\H8SRT\disallowed#mcregist.exe
   HKLM\Software\H8SRT\disallowed#mcsysmon.exe
   HKLM\Software\H8SRT\disallowed#Smc.exe
   HKLM\Software\H8SRT\disallowed#Rtvscan.exe
   HKLM\Software\H8SRT\disallowed#SmcGui.exe
   HKLM\Software\H8SRT\disallowed#SymCorpUI.exe
   HKLM\Software\H8SRT\disallowed#PavPrSrv.exe
   HKLM\Software\H8SRT\disallowed#PslmSvc.exe
   HKLM\Software\H8SRT\disallowed#PsCrtlS.exe
   HKLM\Software\H8SRT\disallowed#PAVSRV51.EXE
   HKLM\Software\H8SRT\disallowed#AVENGINE.EXE
   HKLM\Software\H8SRT\disallowed#ApVxdWin.exe
   HKLM\Software\H8SRT\disallowed#WebProxy.exe
   HKLM\Software\H8SRT\disallowed#spiderml.exe
   HKLM\Software\H8SRT\disallowed#spiderui.exe
   HKLM\Software\H8SRT\disallowed#drwebbscd.exe
   HKLM\Software\H8SRT\disallowed#MpCmdRun.exe
   HKLM\Software\H8SRT\disallowed#MsMpEng.exe
   HKLM\Software\H8SRT\disallowed#TeaTimer.exe
   HKLM\Software\H8SRT\disallowed#sdra64.exe
   HKLM\Software\H8SRT\disallowed#avgtrey.exe
   HKLM\Software\H8SRT\disallowed#avg.exe
   HKLM\Software\H8SRT\disallowed#mcvsshld.exe
   HKLM\Software\H8SRT\disallowed#mcuimgr.exe
   HKLM\Software\H8SRT\disallowed#mcshell.exe
   HKLM\Software\H8SRT\disallowed#mcods.exe
   HKLM\Software\H8SRT\disallowed#avgtrày.exe
   HKLM\Software\H8SRT\disallowed#msseces.exe
   HKLM\Software\H8SRT\disallowed#MSASCui.exe
   HKLM\Software\H8SRT\disallowed#MsMpRes.dll
   HKLM\Software\H8SRT\disallowed#MpClient.Dll
   HKLM\Software\H8SRT\disallowed#MpRtMon.DLL
   HKLM\Software\H8SRT\disallowed#pev.exe
   HKLM\Software\H8SRT\disallowed#KDSsetap.exe
   HKLM\Software\H8SRT\disallowed#BDTUpdateService.exe
   HKLM\Software\H8SRT\disallowed#pctsAuxs.exe
   HKLM\Software\H8SRT\disallowed#pctsGui.exe
   HKLM\Software\H8SRT\disallowed#pctsSvc.exe
   HKLM\Software\H8SRT\disallowed#pctsTray.exe
   HKLM\Software\H8SRT\injector
   HKLM\Software\H8SRT\injector#*
   HKLM\Software\H8SRT\versions
   HKLM\Software\H8SRT\versions#/css/crcmds/install
   HKLM\Software\H8SRT\versions#/css/crcmds/extra

Adware.MyWebSearch
   D:\DOWNLOADS\SMILEYCENTRALPFSETUP2.3.50.10.ZNFOX000.EXE

===================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

1-2-2010 18:17:54
mbam-log-2010-02-01 (18-17-54).txt

Scan type: Quick Scan
Objects scanned: 160779
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Delete on reboot.

===================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:58, on 1-2-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nl.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - *{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Lana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8075 bytes

Dr Jay · « **Reply #1 on:** February 01, 2010, 03:57:11 PM »

Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

Joop · « **Reply #2 on:** February 02, 2010, 12:39:01 PM »

Hi

I downloaded RootRepeal and executed it like you indicated and got the famous blue screen. I actually tried it 3 times (also with firewall and avast disabled, no luck).

However, I don't know whether they are related, now, all of a sudden my explorer (folder overview not internet) died and kept dying, which made my user useless. It was like a repeated proces, popup that explorer died and than the icon bar + my desktop contents vanished, came back and started over. It really got to me now.

Luckily, this only happens to the user I was running RootRepeal in, I have a few users left to perform some tasks in.

In the mean time, I'm performing a backup of all my data onto an external hard drive, so that if it gets to me on the other users, I can perform a complete new install. Should I be worried that I copy something harmful while at it?

Thanks!

Dr Jay · « **Reply #3 on:** February 02, 2010, 02:19:37 PM »

Just copy only documents, videos, pictures, and music only. Do not copy programs.

It is a good idea to copy down the name of all of your programs.

If you would like to do that, go ahead.

I do have alternate utilities that can scan and make sure the computer gets cleaned. We are not stuck.

Joop · « **Reply #4 on:** February 02, 2010, 11:49:01 PM »

I've done just that, copy only the Users content.

I'll make a list of the programs I use now, just in case.

But, if you still have ideas, let's proceed and try to beat this thing. I'm still in for it

Dr Jay · « **Reply #5 on:** February 03, 2010, 08:34:38 AM »

Ok, go ahead...

Joop · « **Reply #6 on:** February 03, 2010, 08:54:56 AM »

Which tool do I need to execute in order to gather data for you?

Dr Jay · « **Reply #7 on:** February 03, 2010, 09:03:10 AM »

You don't need to gather data for me. But for yourself.

Save it to a CD or external drive, etc.

Then, if you wish to reformat and reinstall, go ahead.

Joop · « **Reply #8 on:** February 03, 2010, 10:22:00 AM »

Hi,

most likely we misunderstood each other. The saving of my data to my external HD is just to be sure, not because I want to give up.
Reformatting/installing is a last resort to me.

But you mentioned that you were not out of ideas to continue. So I want to continue as well.

So, unless you think reinstalling is what I should do, please give me some tools I can run

Thanks.

Dr Jay · « **Reply #9 on:** February 03, 2010, 12:08:59 PM »

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Joop · « **Reply #10 on:** February 03, 2010, 02:38:51 PM »

Hi,

It took me a while to find the program, since our enemy denies me access to the bleepingcomputer website. At last, I found on an earlier topic on UACd.sys on this site another link where I was able to find and download it

Also when I had it on my desktop I had to rename it to get it going.

The log is attached. Have fun.

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #11 on:** February 03, 2010, 09:44:50 PM »

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

MBAM log
SAS log
ESET log

And, please tell me how your computer is doing.

Joop · « **Reply #12 on:** February 04, 2010, 02:08:28 PM »

Hi,

First this, only after I replied to you yesterday, I realized that MS defender didn't crash anymore and that I could visit any website I needed again. So, ComboFix did a *censored* of a job. Thanks very much for that suggestion

.

I executed the tools you suggested. The log of all 3 is attached.

I experienced the following little problem:

Malware Bytes would not perform an update -> error code 732 (2,0) Can't find file
Last update was from 1/31/10. Hope that's not too old.
Other funny thing: when I was ready to exit the program, it died on me???

After all was done I rebooted the PC and my initial problem seesm to be solved.

However on the 1 user I ran RootRepeal on, my explorer.exe keeps on dying. Vista pops up the message with the following description and suggestions:

**** Problem with Power Cinema (a codec filenamed CLDemuxer.ax)
sug 1: goto to CyberLink Corp and check for updates of CLDemuxer.ax
sug 2: use regsvr32 to undo registration of CLDemuxer.ax

Now I need your advice on this:
1 what do you think how to attack this?
2 I can't execute this on the infected user, so will it help if I execute it on another user which does not have the problem?

Hope you will also help me out of this fix. Thanks again!

[Saving space, attachment deleted by admin]

Dr Jay · « **Reply #13 on:** February 04, 2010, 05:48:34 PM »

No biggie. The rootkit is just acting up.

Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code: [Select]

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

Joop · « **Reply #14 on:** February 05, 2010, 10:19:51 AM »

I did what you asked me, it was done in a few secs.

Output is attached

Hope you find something. Thanks again.

[Saving space, attachment deleted by admin]

Computer Hope Forum

News:

Author Topic: UACd.sys Trojan (Read 10024 times)

Joop

UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan

Dr Jay

Re: UACd.sys Trojan

Joop

Re: UACd.sys Trojan