online scan to get rid of "packed.generic.200"?

[Kando]

Many things have happened, after MoveIt ran and I rebooted, the avenger log came up:

Avenger log-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath:  \systemroot\system32\drivers\UACrhbyyetusiutewx.sys
Start Type:  1 (System)

Rootkit scan completed.


Completed script processing.

*******************

Finished!  Terminate.

Then the MoveIt log came up:

MoveIt log-
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service\Driver UACd not found.
Service\Driver UACd not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules\\ not found.
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules\\ .
========== FILES ==========
File/Folder \\?\globalroot\systemroot\system32\uacnmsfijuybienyic.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05202009_222711

Files moved on Reboot...

THEN AVG came up and said that there were infections and did I want to move them to the vault. I clicked yes but it said access denied and did I want to delete them. I clicked yes and they were deleted. I checked the vault to be sure, and they were there. I deleted the contents of the vault.

And finally Norton360 popped up and said that Backdoor.tidserv was detected and that a restart was needed. I did that but the Norton360 alert came up again.

I checked the info that Norton had and it shows the affected areas as: 2 services, 15 files, 6 registry entries, 3 system actions and 1 browser cache.

A lot of progress but it looks like new problems are appearing.

[Kando]

On a whim I clicked on Malwarebytes setup and it opened up and ran through the install with no problems. It is scanning now...got my fingers crossed.

[Kando]

whew, almost an hour scanning and Malwarebytes found 9 things, and they were removed. I rebooted and so far nothing has popped up again. Below is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/21/2009 1:24:12 AM
mbam-log-2009-05-21 (01-24-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142272
Time elapsed: 54 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP0\A0000007.exe (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.

Success? I certainly hope so. Thanks for all the help

[Kando]

Woke up at 4:30 and the Norton360 scan was done. There were only tracking cookies and those were deleted easily. I will be running the scans on all of the accounts on the laptop, but it looks good for the infections to be gone.

I will let you know if anything bad is found again, but for now


THANK YOU EVILFANTASY!!

[evilfantasy]

Glad it finally worked.

Lets run another scan just to double check.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Kando]

Here is the Combofix log

ComboFix 09-05-19.08 - Joe 05/21/2009 13:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.413 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


(((((((((((((((((((((((((   Files Created from 2009-04-21 to 2009-05-21  )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:14   6736   ----a-w   c:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27   --------   d-----w   C:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19   --------   d-----w   c:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00   --------   d-----w   c:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54   --------   d-----w   c:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:36   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:35   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34   --------   dc-h--w   c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34   --------   d-----w   c:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36   --------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28   --------   d-----w   c:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27   --------   d-----w   c:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26   --------   d-----w   c:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55   --------   d--h--w   C:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24   --------   d-----w   c:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-05-14 23:16 . 2009-05-14 23:16   53248   ----a-w   c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 17:25 . 2005-12-16 08:32   --------   d-----w   c:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38   --------   d-----w   c:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28   --------   d-----w   c:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47   126   ----a-w   c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28   --------   d-----w   c:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36   --------   d-----w   c:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:24   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:21   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51   284160   ----a-w   c:\windows\system32\pdh.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42   73728   ----a-w   c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 13:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(4928)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-05-21 13:29 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-21 17:29

Pre-Run: 78,696,206,336 bytes free
Post-Run: 78,620,049,408 bytes free

198   --- E O F ---   2009-05-17 19:11

Is this good news?

[evilfantasy]

Yes there is still one left.

You need to uninstall either Norton or AVG. Two antivirus actually offers less protection because they "argue" with each other.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Kando]

Here is the latest ComboFix log

ComboFix 09-05-19.08 - Joe 05/21/2009 14:51.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.443 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACjhmyrlvskbrrwov.sys

.
(((((((((((((((((((((((((   Files Created from 2009-04-21 to 2009-05-21  )))))))))))))))))))))))))))))))
.

2009-05-21 17:14 . 2009-05-21 17:29   6736   ----a-w   c:\windows\system32\drivers\PROCEXP90.SYS
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\kevin\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-05-21 04:25 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 04:25 . 2009-05-21 04:25   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-05-21 02:27 . 2009-05-21 02:27   --------   d-----w   C:\_OTMoveIt
2009-05-18 19:19 . 2009-05-18 19:19   --------   d-----w   c:\program files\Driver Magician Lite
2009-05-17 18:59 . 2009-05-17 19:00   --------   d-----w   c:\documents and settings\kevin
2009-05-17 17:06 . 2009-05-17 17:54   --------   d-----w   c:\documents and settings\Joe\.housecall6.6
2009-05-17 16:00 . 2009-05-17 15:36   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-05-17 15:36 . 2009-05-17 15:35   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-05-17 15:35 . 2009-05-21 12:24   --------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 15:35 . 2009-05-21 17:21   --------   d-----w   c:\program files\Spybot - Search & Destroy
2009-05-17 15:34 . 2009-05-17 15:34   --------   dc-h--w   c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 15:34 . 2009-05-17 15:34   --------   d-----w   c:\program files\Lavasoft
2009-05-17 15:34 . 2009-05-17 15:36   --------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-17 15:28 . 2009-05-17 15:28   --------   d-----w   c:\program files\Windows Media Connect 2
2009-05-17 15:26 . 2009-05-17 15:27   --------   d-----w   c:\windows\system32\drivers\UMDF
2009-05-17 15:26 . 2009-05-17 15:26   --------   d-----w   c:\windows\system32\LogFiles
2009-05-15 02:17 . 2009-05-21 04:55   --------   d--h--w   C:\$AVG8.VAULT$
2009-05-15 02:13 . 2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-15 02:13 . 2009-05-15 02:13   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-05-15 02:13 . 2009-05-15 02:13   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-05-15 02:13 . 2009-05-17 16:24   --------   d-----w   c:\windows\system32\drivers\Avg
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\program files\AVG
2009-05-15 02:12 . 2009-05-15 02:12   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 18:54 . 2005-12-16 08:32   --------   d-----w   c:\program files\Common Files\Symantec Shared
2009-05-21 05:24 . 2008-10-24 20:38   --------   d-----w   c:\program files\Common
2009-05-17 15:25 . 2005-12-16 05:28   --------   d-----w   c:\program files\Windows Media Connect
2009-05-17 15:25 . 2007-01-14 14:47   126   ----a-w   c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-05-16 01:39 . 2005-12-16 08:28   --------   d-----w   c:\program files\Quicken
2009-04-18 14:36 . 2008-10-26 18:36   --------   d-----w   c:\program files\Norton 360
2009-04-04 19:49 . 2008-04-06 14:24   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-04 19:48 . 2008-04-06 14:21   20   ---h--w   c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-03-06 14:22 . 2005-12-16 02:51   284160   ----a-w   c:\windows\system32\pdh.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-05-21_17.25.26   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 18:55 . 2009-05-21 18:55   16384              c:\windows\Temp\Perflib_Perfdata_4f4.dat
+ 2009-05-21 18:54 . 2009-05-21 18:54   16384              c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-23 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-25 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 02:13   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42   73728   ----a-w   c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/17/2009 11:36 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 10:13 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 10:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 10:13 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 7:26 PM 101936]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 10:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 10:52 PM 217472]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = proxy:8002
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-05-21 15:02 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-21 19:02
ComboFix2.txt  2009-05-21 17:29

Pre-Run: 78,615,195,648 bytes free
Post-Run: 78,597,533,696 bytes free

201   --- E O F ---   2009-05-17 19:11


>crosses his fingers

And I am uninstalling AVG, I think the owner has actually paid for Norton

[evilfantasy]

OK we can finish up now.

This should remove all of the tools we used.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.

[Kando]

WHEW again! Ok, deleted ComboFix, downloaded and ran the other two programs, is that it?

I don't want to go through this again, but if I do I have all of these new programs to make use of.

Thanks again.

[evilfantasy]

You should be good to go.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Kando]

Well, all of my computers are safe and uninfected, this whole episode was for a teacher at the school where I work. Now she knows not to click on a little box that promises to clean up her computer for a small fee. 8-)

[evilfantasy]

I learned the hard way long ago. Sometimes a hard lesson is the best lesson.

Let us know if anything else comes up.

[thom]

EvilFantasy!!!!!

I........ LOVE YOU VERY MUCH DUDE~! XD 

THX DUDE! YOUR MY COMPUTER SAVIOUR XD