noob needs some help please

[Primer88]

SDFix: Version 1.240
Run by Administrator on Sun 03/15/2009 at 05:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\asd.txt - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 17:49:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACpyxxnxdq.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACpyxxnxdq.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACbobvcjsk.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACckmtnmyr.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACgoiweltg.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UACbodsxcnr.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACuuhrhdlt.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UAConfakayt.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACyevnlcml.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UAChngvpfky.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1135660037\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1135660037\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1135660037\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1135660037\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"="C:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe:*:Enabled:Itiva Media Accelerator"
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"="C:\\Program Files\\Java\\jre6\\bin\\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 25 Dec 2005            56 A.SHR --- "C:\i386\8BEC612D50.sys"
Sun 25 Dec 2005         2,828 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 22 Oct 2008       949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008     1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008       962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 12 Mar 2009            56 ..SHR --- "C:\WINDOWS\system32\8BEC612D50.sys"
Thu 12 Mar 2009         3,558 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 27 Dec 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun  9 Nov 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu  7 Dec 2006     3,096,576 A..H. --- "C:\Documents and Settings\Tonya\Application Data\U3\temp\Launchpad Removal.exe"
Wed 26 Apr 2006        12,943 A.SH. --- "C:\Documents and Settings\Tonya\My Documents\My Music\License Backup\drmv2key.bak"

Finished!




NOTE*  this part here

Checking Files :

Trojan Files Found:

C:\asd.txt - Deleted

asd.txt was the notepad file I saved in several locations with the instructions you gave me since it wouldn't show up on the desktop in safe mode using the admin account.

[evilfantasy]

OK I think I found what's been hiding.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
Important: Restart the computer before continuing.

----------

This scanner works with Internet Explorer only!

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once BitDefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

Click Upload
Locate the file and double click it.
Copy the link below Share This Link: and post it back here.

[Primer88]

I will run the instructions above here in just a min.

btw, spyware doctor did a scheduled scan a min ago and this popped up.  Not sure if it means anything.

[evilfantasy]

That is part of ComboFix.

[Primer88]

ran bitdefender and it didn't find anything so I could not generate a report.



I had to uninstall spyware doctor when I uninstalled combofix and left it uninstalled until after running bitdefender. 

The firewall is back on now and I have re-installed spyware doctor.

Anything else?

[evilfantasy]

Maybe Spyware Doctor was interfering with the firewall?

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Primer88]

I will go through that stuff in a moment.

A few things are not working properly in Firefox now.  My comcast.net home page will not work properly now nor can I check my email.  Also, another forum website I frequent has a chat box at the top which will not load now.  Both of them work fine with IE though.

Also, I've been using WOT in FF for a long time now.  Thanks again for your continued help!

[evilfantasy]

Run Secunia and see if anything needs updated. Then see if the updates fix Firefox.

If not then let me know.

Also give me a link to the forum where the chat box isn't working so I can test it and try to figure out what's wrong.

Also run Dial-a-fix. It may help with the Comcast problem.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Is the problem fixed?

[Primer88]

I'm still running the secunia stuff right now.

The website is www.virtualford.org

[evilfantasy]

I signed up but don't see any chat box?

[evilfantasy]

Nevermind I made a post and it is there now.

[evilfantasy]

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

[Primer88]

I'm having problems with some of the updates from secunia.  I'll have to deal with the rest of this stuff tomorrow.  I've got work in the morning.

Thanks again for the help.  I'll restart everything from your first secunia post again tomorrow.

[evilfantasy]

OK just let me know which updates you are having issues with.

Also did you run Dial-a-fix?

[Primer88]

I have not had a chance to run dial-a-fix yet but I was able to successfully run the Windows updates (from Microsoft) over night and the problems I was having with my home page and virtualford have gone away.  I will continue the work on the other updates and the other things you suggested when I get home from work.

The firewall has stopped worked again.