Trojan.fakeav.ki Disinfect Failed
As the title suggests I have a trojan i cant remove from my system. It keeps opening up ie and trying to go to a websight (http://browser-security.microsoft.com/block.php?r=17.3), and it block malware tools i have tried to install to get rid of it.
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>
<ScanSession creator="BitDefender Internet Security 2009" version="BitDefender UIScanner v.12" creationDate="5/12/2009 4:25:01 PM" installPath="C:\Program Files\BitDefender\BitDefender 2009" originalPath="C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1242159901_1_02.xml" scanClient="C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe" taskName="Deep System Scan">
<ScanOptions
showWarnings="1"
>
<ScanPaths>
<path id="0000">C:\</path>
<path id="0001">E:\</path>
</ScanPaths>
<ScanObjects
scanViruses="1"
scanAddware="1"
scanSpyware="1"
scanApplications="1"
scanDialers="1"
scanRootkits="1"
/>
<TargetSelection
heuristicScan="1"
scanArchives="1"
scanRegistryKeys="1"
scanRegistry="1"
scanCookies="1"
memoryProcesses="1"
scanBootSectors="1"
scanEmail="0"
scanAllFiles="1"
scanPackedFiles="1"
scanSubfolders="1"
includeExtensions=""
excludeExtensions=""
/>
<TargetProcessing
infectedAction="3"
suspiciousAction="1"
hiddenAction="1"
encrInfectedAction="1"
encrSuspiciousAction="1"
passProtAction="20"
/>
</ScanOptions>
<EngineSummary
archivePlugins="45"
mailPlugins="6"
scanPlugins="13"
totalSignatures="2955099"
systemPlugins="5"
unpackPlugins="7"
/>
<ScanSummary
scannedItems="138685"
passProtItems="8"
archiveBombs="0"
infectedItems="7"
suspiciousItems="0"
resolvedItems="0"
unresolvedItems="15"
scannedArchives="897"
bootSectorCount="1"
scannedDirectories="4266"
inputOutputErrors="0"
virusesNumber="7"
scanTime="00:24:42"
filesPerSecond="92"
>
<FileSummary
scanned="137735"
archives="897"
packed="4473"
infected="7"
suspicious="0"
resolved="0"
deleted="0"
moved="0"
copied="0"
/>
<RegistryKeySummary
scanned="871"
infected="0"
suspicious="0"
/>
<CookieSummary
scanned="41"
infected="0"
suspicious="0"
/>
<ProcessSummary
scanned="38"
infected="0"
suspicious="0"
/>
<MailSummary
scanned="0"
infected="0"
suspicious="0"
/>
</ScanSummary>
<ScanDetails>
<AffectedItem index="0" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]agntcons.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="1" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]agntlang.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="2" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]comctl.lpk" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="3" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]config.ini" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="4" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]pbar.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="5" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]UnInsStr.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="6" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]uninst.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="7" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]uninstall.htm" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>
<AffectedItem index="8" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="9" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="10" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="11" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="12" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="13" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="14" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
</ScanDetails>
</ScanSession>
Comments
-
Hi
clear all files in C:\Documents and Settings\Deathglow\Local Settings\Temp and delete UACluxwdciqpqwvxov.dll.
This dll is a virus file!
Hemanth0 -
Hello deathglow,
First of all, please follow the steps presented here: How To Find Hidden Malware
After that, go to:C:\windows\system32
find the file called UACluxwdciqpqwvxov.dll and detele it (also remove it from Recycle Bin).
If BitDefender prevents you from removing the file, temporarily disable the Realtime Protection, remove the file, and re-enable BitDefender again.
As for the other objects, found in Documents and settings/..., those files don't represent any risk. They are only password-protected files which couldn't be scanned.
Cris.0 -
the problem was the virus was hiding that file from me. I was finally able to get a malware remover installed by renaming the file so the virus didnt reconize it. Thanks everyone for the help.
0 -
Hey guys...
BitDefender shows this same virus for me. I've followed the directions in this thread and I still can't find those infected files.
I cleared out my temporary folder as instructed, and while it's no longer trying to install anything via Internet Explorer, it clearly still has some element of control on my computer (can't run ComboFix or SpyEraser, closes Internet Explorer when attempting to download updates).
Any help would be greatly appreciated.
Here's my BD log.
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>
<ScanSession creator="BitDefender Total Security 2009" version="BitDefender UIScanner v.12" creationDate="5/13/2009 8:24:29 PM" installPath="C:\Program Files\BitDefender\BitDefender 2009" originalPath="C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1242264269_1_02.xml" scanClient="C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe" taskName="Deep System Scan">
<ScanOptions
showWarnings="1"
>
<ScanPaths>
<path id="0000">C:\</path>
<path id="0001">G:\</path>
</ScanPaths>
<ScanObjects
scanViruses="1"
scanAddware="1"
scanSpyware="1"
scanApplications="1"
scanDialers="1"
scanRootkits="1"
/>
<TargetSelection
heuristicScan="1"
scanArchives="1"
scanRegistryKeys="1"
scanRegistry="1"
scanCookies="1"
memoryProcesses="1"
scanBootSectors="1"
scanEmail="1"
scanAllFiles="1"
scanPackedFiles="1"
scanSubfolders="1"
includeExtensions=""
excludeExtensions=""
/>
<TargetProcessing
infectedAction="3"
suspiciousAction="1"
hiddenAction="1"
encrInfectedAction="1"
encrSuspiciousAction="1"
passProtAction="20"
/>
</ScanOptions>
<EngineSummary
archivePlugins="45"
mailPlugins="6"
scanPlugins="13"
totalSignatures="2967516"
systemPlugins="5"
unpackPlugins="7"
/>
<ScanSummary
scannedItems="558500"
passProtItems="0"
archiveBombs="0"
infectedItems="9"
suspiciousItems="0"
resolvedItems="0"
unresolvedItems="9"
scannedArchives="4178"
bootSectorCount="0"
scannedDirectories="24182"
inputOutputErrors="0"
virusesNumber="9"
scanTime="02:17:58"
filesPerSecond="67"
>
<FileSummary
scanned="557263"
archives="4178"
packed="51968"
infected="9"
suspicious="0"
resolved="0"
deleted="0"
moved="0"
copied="0"
/>
<RegistryKeySummary
scanned="1157"
infected="0"
suspicious="0"
/>
<CookieSummary
scanned="32"
infected="0"
suspicious="0"
/>
<ProcessSummary
scanned="48"
infected="0"
suspicious="0"
/>
<MailSummary
scanned="0"
infected="0"
suspicious="0"
/>
</ScanSummary>
<ScanDetails>
<AffectedItem index="0" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="1" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="2" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="3" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="4" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="5" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="6" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="7" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="8" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
</ScanDetails>
</ScanSession>
And a HiJackThis Log as well (renamed HJT so I could run it, but that method doesn't work with ComboFix):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:38 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utm.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160143727234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160143779671
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) - https://baninb.utm.edu/forms90/java/jre-1_5...dows-i586-p.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF43B046-806E-42D5-BA81-6637CAD11AF7}: NameServer = 170.215.126.3,170.215.184.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 12789 bytes
Could use some help. This virus is annoying the ###### out of me.0 -
Hey guys...here's a more up to date scan of just that directory. Now it shows 11 instances of the virus as opposed to 9.
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Windows
Log date : 5/13/2009 10:10:36 PM
Log path : C:\Documents and Settings\Charlie The Red\Application Data\BitDefender\Desktop\Profiles\Logs\user_0001\1242270636_1_02.xml
Scan Paths:Path 0000: C:\WINDOWS\system32
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Log as not scanned
Scan engines summaryNumber of virus signatures : 2967516
Archive plugins : 45
Email plugins : 6
Scan plugins : 13
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 4805
Infected items : 11
Suspicious items : 0
Resolved items : 0
Unresolved items : 11
Password-protected items : 0
Overcompressed items : 0
Individual viruses found : 11
Scanned directories : 588
Scanned boot sectors : 0
Scanned archives : 26
Input-output errors : 13
Scan time : 00:04:27
Files per second : 13
Scanned processes summaryScanned : 45
Infected : 0
Scanned registry keys summaryScanned : 1155
Infected : 0
Scanned cookies summaryScanned : 52
Infected : 0
Remaining issues:Object Name Threat Name Final Status
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed
I could really use some help on this.0 -
So I was finally able to get ComboFix to run.
I had eleven rootkits on my system. No clue how they got there, but they're there. Combofix took care of it.0 -
Does anyone of you two have any other problems?
0 -
As of right now, no more problems that I can see.
What I can tell you is that, whatever put these rootkits on my computer, I got it from an outdated Flash player.
I'll give a brief summary for posterity's sake in case anyone else has this problem.
Last week, BitDefender detected brastia on my computer. I was able to remove it with HJT. After the next restart, BitDefender blocked Waledac and Koobface. Koobface likes to stick close to Facebook.com, and since I was playing a lot of FarmTown with Flash, I probably got the virus from one of those flash advertisements on that site. Things seemed pretty dormant until yesterday...
ld08, winarps32, sdra64 and zlob were all on my computer. I was able to remove all of these with HJT (which I had to rename, following the directions in this thread), but it still didn't totally resolve the problems with Internet Explorer and Firefox.
I couldn't find the threats on my system for the life of me, and after renaming ComboFix twice it still wouldn't work. I was able to get the necessary windows updates via opera, then I renamed ComboFix yet again to "BillMurray.exe" and it worked. Within seconds it found all of the rootkits and cleaned them, along with other files that I hadn't caught.
I then disabled system restore after restart, uninstalled combofix and rebooted yet again, removing everything it quarantined.
As of right now, I've scanned with BitDefender twice and still nothing found. It seems like whatever problem I had, I was able to fix.
BitDefender labels this virus as "Trojan.FakeAV.KI." This is the Windowsclick.com (UACd.sys) rootkit which is pretty well known on google and has a variety of fixes. Here are some links in case anyone else has this problem.
Removal:
http://www.myantispyware.com/2009/01/24/ho...uacdsys-trojan/
http://www.antionline.com/showthread.php?t=278009
If someone has this virus, run Opera for web browsing if you have it. You can still use Firefox, although you have to paste the URLs of google results into your address bar instead of clicking them otherwise you'll be redirected. If you try and download Windows Updates out of Internet Explorer, IE will automatically close once you reach the Installation page.
Furthermore, running HiJackThis to find this is futile because it won't find it. ComboFix is pretty much your best bet.0