The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

My gmer results - help needed

Posted 8/28/2009 9:24 AM
#76586
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I just picked up the problem I believe a lot of people are having . Can't run malwarebytes ,can't run spybot . not connecting to webpages . I can't make combofix work or that dd whatever . I did get Gmer to work I just ran it to that first stage where items showed up in red and I will post the results below . I just want to know what to do next . I wanted to add I downloaded malwarebytes to a cd (I renamed it and then downloaded ) on a different computer and then tried it on that computer and it worked fine but it won't run on my computer. I've been working on this for about 10 hours and this gmer thing is the first thing I have had any success with . Also , can someone tell me what the agnitum firewall is . I've got bullguard firewall . the log follows.


GMER 1.0.15.15077 [egez6z2f.exe] - https://www.gmer.net
Rootkit quick scan 2009-08-28 05:10:11
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- System - GMER 1.0.15 ----

Code 87140D26 ZwEnumerateKey
Code 87039C96 ZwFlushInstructionCache
Code 86832796 ZwSaveKey
Code 8683275E ZwSaveKeyEx
Code 8670A305 IofCallDriver
Code 870541AD IofCompleteRequest
Code 8683C725 ZwSaveKey
Code 86832725 ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Tcp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Udp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys (*** hidden *** ) [SYSTEM] kbiwkmuwwiyvnk <-- ROOTKIT !!!
Service system32\drivers\TDSSmaxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
Posted 8/28/2009 11:38 AM
#76587
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello



Please download https://swandog46.geekstogo.com/avenger2/download.php

by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger2.exe to your desktop. Rename it to 123.com



Start Avenger




[code]
Begin copying here:



Drivers to delete:
UACd
TDSSserv
Kbiwkmuwwiyvnk

Files to delete:
C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys
C:\WINDOWS\ system32\drivers\TDSSmaxt.sys
C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys


[/code]
Copy/Paste all the text in the above codebox into the main window

Click Execute



The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)



On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.



This log file will be located at C:\avenger.txt



Please download combofix here ->

https://download.bleepingcomputer.com/sUBs/ComboFix.exe <<Rigthclick, save target as.

Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.



Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply, along with C:\avenger.txt.



The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/28/2009 1:26 PM
#76588
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
thanks for the reply . When avenger rebooted it said starting windows and then it froze , so to restart all I could do was turn the power off (not the button on the computer but the powerstrip it's plugged into ) . When I restarted I got the following avenger log . The rsit log I did before that avenger run . My problem now is I can only get the computer to work in safe mode . Safe Mode with networking or regular mode don't work . doubleclicking on an icon doesn't do anything and I can't get ctr alt del to bring up the task manager I can't do a start shutdown because the mouse won't work when I click on start , so I just have to power off the power strip . Also , in safe mode now when I click on rsit or other .exe applications I get the can not open you may not be authorized problem . Therefore , I am now using my sons computer to send this reply . I'm thinking of taking it somewhere but I think they'll just reformat my hard drive and I'll lose my stuff ? So , right now I'm really stuck . Thanks in advance for your help.


below is the rsit log that I ran before your reply and the avenger log is below that .


Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-28 07:41:08
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 113 GB (76%) free of 148 GB
Total RAM: 1022 MB (66% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\BBE1A86D9FDA5DD5.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-01 304464]
"winupdate.exe"=C:\WINDOWS\system32\winupdate.exe [2009-08-28 43008]
"Twogizuta"=C:\WINDOWS\ajizicifa.dll [2008-04-13 174080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-01 304464]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-09-13 1603152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-10-25 652624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monopod]
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NordBull]
C:\WINDOWS\msa.exe [2009-08-27 138752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST.EXE]
C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe [2009-08-04 1068424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Resurections]
[]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ryms40.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoFolderOptions"=0
"NoDriveAutoRun"=67108863
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1155243762\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1155243762\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
""=":*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-28 07:41:08 ----D---- C:\rsit
2009-08-28 07:41:08 ----D---- C:\Program Files\trend micro
2009-08-28 07:28:03 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-28 06:00:50 ----A---- C:\WINDOWS\system32\winhelper.dll
2009-08-28 06:00:50 ----A---- C:\WINDOWS\system32\AVR09.exe
2009-08-28 06:00:37 ----A---- C:\WINDOWS\system32\winupdate.exe
2009-08-28 06:00:36 ----A---- C:\WINDOWS\system32\tajf83ikdmf.dll
2009-08-28 05:56:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-28 05:55:00 ----A---- C:\trythisnigger.exe
2009-08-28 05:35:33 ----SD---- C:\go
2009-08-28 05:35:30 ----A---- C:\WINDOWS\system32\CF22166.exe
2009-08-28 04:53:26 ----A---- C:\WINDOWS\system32\CF13852.exe
2009-08-28 04:51:12 ----SD---- C:\ComboFix
2009-08-28 04:51:10 ----A---- C:\WINDOWS\system32\CF13287.exe
2009-08-28 04:13:27 ----A---- C:\WINDOWS\system32\CF6090.exe
2009-08-28 04:11:51 ----A---- C:\WINDOWS\system32\CF5773.exe
2009-08-28 03:57:11 ----A---- C:\WINDOWS\system32\CF2903.exe
2009-08-28 03:55:37 ----A---- C:\WINDOWS\system32\CF2596.exe
2009-08-28 00:55:42 ----A---- C:\WINDOWS\system32\CF105.exe
2009-08-28 00:47:55 ----A---- C:\WINDOWS\system32\CF31355.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\zip.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\SWSC.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\SWREG.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\sed.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\PEV.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-28 00:44:11 ----A---- C:\WINDOWS\grep.exe
2009-08-28 00:43:49 ----D---- C:\WINDOWS\ERDNT
2009-08-28 00:43:45 ----A---- C:\WINDOWS\system32\CF30535.exe
2009-08-28 00:43:29 ----D---- C:\Qoobox
2009-08-28 00:09:32 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2009-08-28 00:09:32 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2009-08-28 00:09:32 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2009-08-28 00:09:32 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2009-08-28 00:09:32 ----A---- C:\WINDOWS\system32\unacev2.dll
2009-08-28 00:09:31 ----D---- C:\Program Files\Trojan Remover
2009-08-28 00:09:31 ----D---- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2009-08-28 00:09:31 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2009-08-27 21:22:41 ----A---- C:\WINDOWS\msc.exe
2009-08-27 21:21:59 ----A---- C:\WINDOWS\msb.exe
2009-08-27 21:21:50 ----A---- C:\WINDOWS\msa.exe
2009-08-21 00:48:15 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-21 00:46:46 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-21 00:45:19 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-21 00:43:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-21 00:42:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-21 00:41:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-21 00:39:38 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-21 00:38:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-21 00:37:54 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-21 00:36:30 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-21 00:34:54 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2009-08-21 00:29:58 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-08-21 00:27:55 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-08-21 00:26:38 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-08-21 00:25:20 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-08-21 00:24:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$

======List of files/folders modified in the last 1 months======

2009-08-28 07:41:08 ----RD---- C:\Program Files
2009-08-28 07:40:25 ----D---- C:\WINDOWS
2009-08-28 07:40:10 ----D---- C:\WINDOWS\system32
2009-08-28 07:32:34 ----D---- C:\Program Files\Mozilla Firefox
2009-08-28 07:31:08 ----D---- C:\WINDOWS\Temp
2009-08-28 07:30:28 ----D---- C:\WINDOWS\Registration
2009-08-28 07:20:30 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-28 06:07:42 ----SHD---- C:\System Volume Information
2009-08-28 06:07:42 ----D---- C:\WINDOWS\system32\Restore
2009-08-28 06:00:37 ----SD---- C:\WINDOWS\Tasks
2009-08-28 06:00:11 ----A---- C:\WINDOWS\system.ini
2009-08-28 05:56:44 ----D---- C:\WINDOWS\system32\drivers
2009-08-28 04:33:19 ----SHD---- C:\WINDOWS\Installer
2009-08-28 04:33:09 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-28 04:33:01 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-08-28 04:05:26 ----SH---- C:\boot.ini
2009-08-28 04:05:26 ----A---- C:\WINDOWS\win.ini
2009-08-27 23:31:30 ----D---- C:\Program Files\SpywareBlaster
2009-08-27 21:32:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-27 21:22:28 ----D---- C:\WINDOWS\system32\config
2009-08-27 21:21:28 ----HD---- C:\WINDOWS\PIF
2009-08-27 21:21:28 ----D---- C:\WINDOWS\system32\xircom
2009-08-27 21:21:28 ----D---- C:\WINDOWS\system32\wins
2009-08-27 21:21:28 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-27 21:21:28 ----D---- C:\WIN







Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!
Deletion of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "Kbiwkmuwwiyvnk" deleted successfully.
File "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" deleted successfully.

Error: could not open file "C:\WINDOWS\ system32\drivers\TDSSmaxt.sys"
Deletion of file "C:\WINDOWS\ system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Posted 8/28/2009 3:00 PM
#76591
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Run avenger again ->



Start Avenger




[code]
Begin copying here:

C:\WINDOWS\tasks\BBE1A86D9FDA5DD5.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\ajizicifa.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\winhelper.dll
C:\WINDOWS\system32\AVR09.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\tajf83ikdmf.dll
C:\WINDOWS\msc.exe
C:\WINDOWS\msb.exe
C:\WINDOWS\msa.exe

Drivers to disable:
UACd
TDSSserv
Kbiwkmuwwiyvnk



Drivers to delete:
UACd
TDSSserv
Kbiwkmuwwiyvnk



Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}
[/code]


Copy/Paste all the text in the above quote box into the main window

Click Execute



The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)



On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.



This log file will be located at C:\avenger.txt



Post C:\avenger.txt in next reply


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/28/2009 4:45 PM
#76595
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
here's this one . I had to shut down a couple times after running avenger and now this time it started normally and the desktop wasn't frozen , but now I have that red circle with a white x in it and a warning pops up and says I need antivirus or something like that . I had run a virusscan but bullguard said it was clean. Thanks again for the help



Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!
Deletion of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "Kbiwkmuwwiyvnk" deleted successfully.
File "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" deleted successfully.

Error: could not open file "C:\WINDOWS\ system32\drivers\TDSSmaxt.sys"
Deletion of file "C:\WINDOWS\ system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.






Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "UACd"
Disablement of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "TDSSserv"
Disablement of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Disablement of driver "Kbiwkmuwwiyvnk" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!
Deletion of driver "UACd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "Kbiwkmuwwiyvnk" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Posted 8/28/2009 4:49 PM
#76596
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I meant to also say my alt ctrl del works but my option to choose task manager is greyed out .
Posted 8/29/2009 4:31 AM
#76617
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Sounds like there are improvements, even "task manager is greyed out"




See if you can run combofix -






Please download combofix here ->

https://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.




Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply


The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/29/2009 11:10 AM
#76628
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I will only be able to try to run that in safemode because my computer was back to being frozen if I start it normally or if I start it in safemode with networking. When you say it may take a while to run do you mean like 10 minutes or something like 2 hours . I am running it now but what I'm running I had some sort of script file that I dragged onto the combofix icon and that started the combofix process . I have now downloaded the version that you have provided the link for and before I downloaded it I renamed it alg.exe ( I downloaded it onto a spare harddrive hooked to another computer and then I take it home and drag it onto my desktop. Final question for now , Does combofix reboot the computer or do I do that and when it does reboot can I reboot into safe mode or do I just let it reboot normally . Thanks again for the help . I'll probably post back in a few hours.
Posted 8/29/2009 11:48 AM
#76629
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Does combofix reboot the computer or do I do that and when it does reboot can I reboot into safe mode or do I just let it reboot normally . Thanks again for the help . I'll probably post back in a few hours.
[/quote]

I hope combofix will reboot, meaning it have found infections and need to reboot for remove them properly. It will try to reboot to normal mode.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/29/2009 2:07 PM
#76631
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
combofix won't run . It renames itself to combofix as soon as I start it then it disappears about 5 seconds later . I am able to open hijackthis but when I start to scan it disappears . I can get into it's misc. tools so I made a startup list and noticed there was a strange program in autorun registry (I forgot to write the name down ) but it was calling for a file ajizicfa.dll so I deleted that from the autorun registry but the file wouldn't delete so I put it in the delete upon reboot of hijack this and restarted . That allowed me to reboot normally but as I was trying to write this things froze so I had to shut off the power strip so now I have got it in safe mode with networking and can get online on my own computer . Below is the startup list

StartupList report, 8/29/2009, 9:19:38 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\tryit.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\tryit.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BullGuard = "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
MSConfig = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BullGuard = "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

BBE1A86D9FDA5DD5.job
{7B02EF0B-A410-4938-8480-9BA26420A627}.job
{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

--------------------------------------------------

Enumerating Download Program Files:

[vzTCPConfig]
CODEBASE = https://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD22.OSD

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = https://www.creative.com/su/ocx/15026/CTSUEng.cab

[{49232000-16E4-426C-A231-62846947304B}]
CODEBASE = https://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = https://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238354672500

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
CODEBASE = https://www.creative.com/su/ocx/15026/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\bglsp.dll
Protocol #2: C:\WINDOWS\system32\bglsp.dll
Protocol #3: C:\WINDOWS\system32\bglsp.dll
Protocol #4: C:\WINDOWS\system32\bglsp.dll
Protocol #5: C:\WINDOWS\system32\bglsp.dll
Protocol #6: C:\WINDOWS\system32\bglsp.dll
Protocol #7: C:\WINDOWS\system32\bglsp.dll
Protocol #8: C:\WINDOWS\system32\bglsp.dll
Protocol #9: C:\WINDOWS\system32\bglsp.dll
Protocol #10: C:\WINDOWS\system32\bglsp.dll
Protocol #11: C:\WINDOWS\system32\bglsp.dll
Protocol #12: C:\WINDOWS\system32\bglsp.dll
Protocol #13: C:\WINDOWS\system32\bglsp.dll
Protocol #27: C:\WINDOWS\system32\bglsp.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\UAC1c1e.tmp|||M

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,721 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
the tryit.exe is what I renamed hijackthis . When I tried the combofix I had my antivirus and firewall shut off and I had my modem unplugged . I guess I'm ready for the next step . Thanks again
Posted 8/29/2009 2:23 PM
#76632
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I wanted to add I have a grep.cfxxe in my running processes which I didn't have before all this trouble started and I still can't open things like malwarebytes .
Posted 8/29/2009 11:27 PM
#76650
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I did an online panda scan and it found the following

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-29 17:34:02
PROTECTIONS: 2
MALWARE: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
BullGuard Antivirus X.0 Yes Yes
McAfee VirusScan No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
02457190 Trj/Alureon.BB Virus/Trojan Yes 1 No No globalroot\systemroot\system32\UACyugewtvccr.dll
02578223 Generic Trojan Virus/Trojan Yes 0 No No globalroot\Device\__max++>\40E6ED8E.x86.dll
02587846 Adware/SystemGuard2009 Adware Yes 0 No No globalroot\systemroot\system32\UACyrbxpkospb.dll
;===================================================================================================================================================================================


I then did a scan with bullguard but it didn't find anything . I then tried to do a hijack this and a combofix but those both start for about 5 seconds and disappear . Could I just put

Files to delete:
globalroot\systemroot\system32\UACyugewtvccr.dll
globalroot\Device\__max++>\40E6ED8E.x86.dll
globalroot\systemroot\system32\UACyrbxpkospb.dll



into the script area of the avenger and do it , deleting those files ? I don't want to just do it for fear of screwing something up.
Posted 8/30/2009 1:09 AM
#76666
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I ran eset online scanner and it removed some stuff here is the log

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=75b4f87702e4c44083a6fb6cb6ea67f8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-30 12:33:17
# local_time=2009-08-29 08:33:17 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=4609 21 100 97 24347527968750
# scanned=49207
# found=7
# cleaned=7
# scan_time=1544
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\winupdate.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\install[1].exe a variant of Win32/Kryptik.MT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\install[2].exe a variant of Win32/Kryptik.MT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} Win32/Olmarik.IJ trojan (contained infected files) 00000000000000000000000000000000 C


then I rebooted into safe mode with networking and again tried combofix and hijack this but same as before they run for about 5 seconds
and disappear . I also tried to did a new installation of malwarebytes but as soon as I started the scan it too disappeared . Then I created
a new startup list with hijack this which is below again the tryit.exe is the renamed hijackthis.exe



StartupList report, 8/29/2009, 9:00:12 PM
StartupList version: 1.52.2
Started from : C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX07.391\tryit.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Unable to get Internet Explorer version!
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX07.391\tryit.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BullGuard = "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BullGuard = "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

BBE1A86D9FDA5DD5.job
{7B02EF0B-A410-4938-8480-9BA26420A627}.job
{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

--------------------------------------------------

Enumerating Download Program Files:

[vzTCPConfig]
CODEBASE = https://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD22.OSD

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = https://www.creative.com/su/ocx/15026/CTSUEng.cab

[{49232000-16E4-426C-A231-62846947304B}]
CODEBASE = https://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = https://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238354672500

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
CODEBASE = https://www.creative.com/su/ocx/15026/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\bglsp.dll
Protocol #2: C:\WINDOWS\system32\bglsp.dll
Protocol #3: C:\WINDOWS\system32\bglsp.dll
Protocol #4: C:\WINDOWS\system32\bglsp.dll
Protocol #5: C:\WINDOWS\system32\bglsp.dll
Protocol #6: C:\WINDOWS\system32\bglsp.dll
Protocol #7: C:\WINDOWS\system32\bglsp.dll
Protocol #8: C:\WINDOWS\system32\bglsp.dll
Protocol #9: C:\WINDOWS\system32\bglsp.dll
Protocol #10: C:\WINDOWS\system32\bglsp.dll
Protocol #11: C:\WINDOWS\system32\bglsp.dll
Protocol #12: C:\WINDOWS\system32\bglsp.dll
Protocol #13: C:\WINDOWS\system32\bglsp.dll
Protocol #27: C:\WINDOWS\system32\bglsp.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\UACb4d4.tmp|||M

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,360 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I don't see any improvement from removing the files that eset found and removed. I am basically stuck at this point.
Posted 8/30/2009 2:04 AM
#76674
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
You have done a good job ;-)



Start Avenger




[code]
Begin copying here:
Files to delete:
C:\WINDOWS\TEMP\UAC1c1e.tmp
C:\WINDOWS\system32\UACyugewtvccr.dll
C:\WINDOWS\ system32\40E6ED8E.x86.dll
C:\WINDOWS\system32\UACyrbxpkospb.dll
Drivers to delete:
40E6ED8E.x86
[/code]




Copy/Paste all the text in the above quote box into the main window

Click Execute



The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)



On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.



This log file will be located at C:\avenger.txt



Post C:\avenger.txt in next reply


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/30/2009 3:20 AM
#76680
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
Thank you . I'm somewhat obssesive / compulsive about this kind of stuff .I was wondering when I run avenger I've got 2 boxes scan for rootkits and delete rootkits if
found . The way mine is is scan for rootkits is checked the other is not . How should that be ? When I run it should I turn off my antivirus and /or disconnect my internet ?
I guess I should have asked that the first time . Anyway , it did just like you said and here's the log . Thanks again for your help .


Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\TEMP\UAC1c1e.tmp" not found!
Deletion of file "C:\WINDOWS\TEMP\UAC1c1e.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACyugewtvccr.dll" deleted successfully.

Error: could not open file "C:\WINDOWS\ system32\40E6ED8E.x86.dll"
Deletion of file "C:\WINDOWS\ system32\40E6ED8E.x86.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\system32\UACyrbxpkospb.dll" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\40E6ED8E.x86" not found!
Deletion of driver "40E6ED8E.x86" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
Posted 8/30/2009 3:25 AM
#76682
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I just noticed something that I'm curious about . You have 3 system32 files to delete 2 of them worked they were windows/system32/whatever
but the one that didn't work is windows/ system32/ whatever . It has a space between the slash and system32 but the other 2 didn't . Is it supposed to
be that way or is that way or is that why it failed ?
Posted 8/30/2009 3:38 AM
#76683
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
"It has a space between the slash and system32 but the other 2 didn't"


No, my bad.



Launch Notepad, and copy/paste everything in the codebox below into the new document.

Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as runme.bat.





[code]
@ECHO OFF
DIR /a/s C:\WINDOWS\40E6ED8E.x86.dll C:\WINDOWS\40E6ED8E.x86.dll >Log.txt
START Log.txt
DEL /Q %0
[/code]


Locate runme.bat on your Desktop and double-click on it.
Please post the contents of Log.txt, which should be opened when the diagnostic finishes.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/30/2009 4:02 AM
#76685
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
it ran and changed my bat file to the log.txt file . the contents of that are below . Is this what was supposed to happen?

Volume in drive C has no label.
Volume Serial Number is 74A8-2751


that's everything . Thanks
Posted 8/30/2009 4:09 AM
#76688
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Yes, it was. But not the info I´ve expected :rolleyes:



Download OTL by OldTimer, saving it to your desktop: https://oldtimer.geekstogo.com/OTL.exe

· Close all open windows on the Task Bar. Click the OTL icon (for Vista, right click the icon and Run as Administrator) to start the program.

· In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

· Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.

· Do not TOUCH your keyboard until the scan completes!

· It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.

· Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!

· Exit OTL by clicking the X at top right.



Then copy/paste the following into your post (in order):



the contents of OTL.txt <=this file;

the contents of Extras.txt <=this file

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/30/2009 4:50 AM
#76691
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
It only runs for about 1 second and disappears , so I downloaded again but saved to my desktop as joe.com but it still only ran about 1 second and disappeared.
Posted 8/30/2009 4:59 AM
#76694
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Try to save it as alg.exe and try again. It is possible you´ll have to do it from safe mode

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/30/2009 5:43 AM
#76696
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
no it doesn't work it actually never starts to scan I tried it in safe mode too , same thing . Then once I open it I have to download again saving
as another name because it doesn't give me permission to do anything with the one I've already ran . I tried setting avenger to run the
program on the next boot and it opens on reboot and I started it scanning and I could see the file names as they were being scanned , but
during that time windows is continuing to load so once it loads whatever makes the files not run it disappears . All that takes about 5 seconds.
Is there some way to delay the rest of the programs from loading . Like to say" press any key to continue loading after otl is finished it's scan"
I thought that there was a way to have windows load one item at a time and you click yes to have something load or click no to keep a program
from loading and then it moves on to the next program and again you say yes or no . I may be dreaming but I thought I had done that before
I just don't remember how to do it . Or could I put the program on a cd and have the first boot go to the cd . I'm probably confusing the heck
out of you at this point . I also tried to run the avenger but when I restart the computer I went into safe mode but then avenger didn't run .
I guess you can only have it reboot to regular operating . Unless you know of a way for avenger to run when you reboot to safe mode
Posted 8/30/2009 6:14 AM
#76697
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
this is a new gmer scan (until it asks me if I want to do a complete scan) . It seems as though if I run exe files from the zip package or whatever
(as opposed to extracting to whereever ) I can run them more than once . Here's the log from the new gmer


GMER 1.0.15.15077 [tioo.exe] - https://www.gmer.net
Rootkit quick scan 2009-08-30 02:10:07
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- System - GMER 1.0.15 ----

Code 8710971E ZwEnumerateKey
Code 86FDC1D6 ZwFlushInstructionCache
Code 866E6306 ZwSaveKey
Code 866E62CE ZwSaveKeyEx
Code 866DE305 IofCallDriver
Code 86FD83D5 IofCompleteRequest
Code 86FDDCF5 ZwSaveKey
Code 8708F99D ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)

Device \Driver\Tcpip \Device\Ip AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Tcp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Udp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys (*** hidden *** ) [SYSTEM] kbiwkmuwwiyvnk <-- ROOTKIT !!!
Service system32\drivers\TDSSmaxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
Posted 8/30/2009 4:02 PM
#76711
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I had to get some sleep . Now I have to leave for a few hours . I ran the cure it and the quick scan found one infection so I cured it or deleted it ,
I don't remember which whatever said to do I did I guess . Then when I switched it to complete scan it ran for about 5 seconds and disappeared
and a thing came up saying download the trial version for 30 days so I did that , and at that point I couldn't get the log of what the initial scan did ,
but I know it did find one infection. When I began to install the demo it gave me a warning about another antivirus , so I shut down bullguard
(stopped the AV shut off the firewall , stopped the processes running for bullguard , and turned on windows firewall ) so Drweb installed and updated
then I ran the scans . The quick scan was clean but the complete scan found the stuff below . I still can't run a hijack this . It starts and disappears .
I then tried to run malware bytes (that I hadn't tried to run yet ) but it started and disappeared . Then when I tried to restart it didn't give me
permission. I notice in my computer file types registered file types exe is not there , when I add exe to the list and call it an application and it says it opens with
%1 , then close my computer and then go back into registered types (where I just added exe ) it is no longer there . So I am still having problems .
So I am now ready for the next step but it may be 4 hours or more before I get back to it. Thanks again for your help , it is very much appreciated.



c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Deleted.;
c.bat;C:\456out;Probably BATCH.Virus;Deleted.;
456out.com\32788R22FWJFW\c.bat;C:\Documents and Settings\Owner\Desktop\456out.com;Probably BATCH.Virus;;
456out.com;C:\Documents and Settings\Owner\Desktop;Archive contains infected objects;Deleted.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Deleted.;
npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;Deleted.;
msa.exe;C:\WINDOWS;Trojan.DownLoad.45171;Deleted.;
msb.exe;C:\WINDOWS;Trojan.DownLoad.45171;Deleted.;
msc.exe;C:\WINDOWS;Trojan.DownLoad.45171;Deleted.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;F:\i386\Apps\App17981\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;F:\i386\Apps\App17981\comps\coach;Archive contains infected objects;Deleted.;
tssetup.exe\data002;F:\i386\Apps\App17981\comps\tpspd\tssetup.exe;Probably DLOADER.Trojan;;
tssetup.exe;F:\i386\Apps\App17981\comps\tpspd;Archive contains infected objects;Deleted.;
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, August 14, 2022, 12:38 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
36 Guest(s), 0 Registered Member(s) are currently online.