Trojan.fakeav.ki Disinfect Failed

As the title suggests I have a trojan i cant remove from my system. It keeps opening up ie and trying to go to a websight (http://browser-security.microsoft.com/block.php?r=17.3), and it block malware tools i have tried to install to get rid of it.


<?xml version="1.0" encoding="utf-8"?>


<?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>


<ScanSession creator="BitDefender Internet Security 2009" version="BitDefender UIScanner v.12" creationDate="5/12/2009 4:25:01 PM" installPath="C:\Program Files\BitDefender\BitDefender 2009" originalPath="C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1242159901_1_02.xml" scanClient="C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe" taskName="Deep System Scan">


<ScanOptions


showWarnings="1"


>


<ScanPaths>


<path id="0000">C:\</path>


<path id="0001">E:\</path>


</ScanPaths>


<ScanObjects


scanViruses="1"


scanAddware="1"


scanSpyware="1"


scanApplications="1"


scanDialers="1"


scanRootkits="1"


/>


<TargetSelection


heuristicScan="1"


scanArchives="1"


scanRegistryKeys="1"


scanRegistry="1"


scanCookies="1"


memoryProcesses="1"


scanBootSectors="1"


scanEmail="0"


scanAllFiles="1"


scanPackedFiles="1"


scanSubfolders="1"


includeExtensions=""


excludeExtensions=""


/>


<TargetProcessing


infectedAction="3"


suspiciousAction="1"


hiddenAction="1"


encrInfectedAction="1"


encrSuspiciousAction="1"


passProtAction="20"


/>


</ScanOptions>


<EngineSummary


archivePlugins="45"


mailPlugins="6"


scanPlugins="13"


totalSignatures="2955099"


systemPlugins="5"


unpackPlugins="7"


/>


<ScanSummary


scannedItems="138685"


passProtItems="8"


archiveBombs="0"


infectedItems="7"


suspiciousItems="0"


resolvedItems="0"


unresolvedItems="15"


scannedArchives="897"


bootSectorCount="1"


scannedDirectories="4266"


inputOutputErrors="0"


virusesNumber="7"


scanTime="00:24:42"


filesPerSecond="92"


>


<FileSummary


scanned="137735"


archives="897"


packed="4473"


infected="7"


suspicious="0"


resolved="0"


deleted="0"


moved="0"


copied="0"


/>


<RegistryKeySummary


scanned="871"


infected="0"


suspicious="0"


/>


<CookieSummary


scanned="41"


infected="0"


suspicious="0"


/>


<ProcessSummary


scanned="38"


infected="0"


suspicious="0"


/>


<MailSummary


scanned="0"


infected="0"


suspicious="0"


/>


</ScanSummary>


<ScanDetails>


<AffectedItem index="0" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]agntcons.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="1" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]agntlang.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="2" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]comctl.lpk" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="3" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]config.ini" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="4" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]pbar.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="5" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]UnInsStr.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="6" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]uninst.vbs" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="7" itemType ="File" path="C:\Documents and Settings\Deathglow\Local Settings\Temp\McAfeeInstall\Apps\msc\msclgmis.cab=]screm.ui=]uninstall.htm" threatType="virus" threatName="Password-protected" action="none" finalStatus= "not scanned" error= "no action possible"/>


<AffectedItem index="8" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="9" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="10" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="11" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="12" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="13" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="14" itemType ="File" path="\\?\globalroot\systemroot\system32\UACluxwdciqpqwvxov.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


</ScanDetails>


</ScanSession>

Comments

  • Hi


    clear all files in C:\Documents and Settings\Deathglow\Local Settings\Temp and delete UACluxwdciqpqwvxov.dll.


    This dll is a virus file!


    Hemanth

  • Hello deathglow,


    First of all, please follow the steps presented here: How To Find Hidden Malware


    After that, go to:


    C:\windows\system32

    find the file called UACluxwdciqpqwvxov.dll and detele it (also remove it from Recycle Bin).


    If BitDefender prevents you from removing the file, temporarily disable the Realtime Protection, remove the file, and re-enable BitDefender again.


    As for the other objects, found in Documents and settings/..., those files don't represent any risk. They are only password-protected files which couldn't be scanned.


    Cris.

  • the problem was the virus was hiding that file from me. I was finally able to get a malware remover installed by renaming the file so the virus didnt reconize it. Thanks everyone for the help.

  • Hey guys...


    BitDefender shows this same virus for me. I've followed the directions in this thread and I still can't find those infected files.


    I cleared out my temporary folder as instructed, and while it's no longer trying to install anything via Internet Explorer, it clearly still has some element of control on my computer (can't run ComboFix or SpyEraser, closes Internet Explorer when attempting to download updates).


    Any help would be greatly appreciated.


    Here's my BD log.


    <?xml version="1.0" encoding="utf-8"?>


    <?xml-stylesheet type="text/xsl" href="C:\Program Files\BitDefender\BitDefender 2009\uiscan_log.xsl"?>


    <ScanSession creator="BitDefender Total Security 2009" version="BitDefender UIScanner v.12" creationDate="5/13/2009 8:24:29 PM" installPath="C:\Program Files\BitDefender\BitDefender 2009" originalPath="C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1242264269_1_02.xml" scanClient="C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe" taskName="Deep System Scan">


    <ScanOptions


    showWarnings="1"


    >


    <ScanPaths>


    <path id="0000">C:\</path>


    <path id="0001">G:\</path>


    </ScanPaths>


    <ScanObjects


    scanViruses="1"


    scanAddware="1"


    scanSpyware="1"


    scanApplications="1"


    scanDialers="1"


    scanRootkits="1"


    />


    <TargetSelection


    heuristicScan="1"


    scanArchives="1"


    scanRegistryKeys="1"


    scanRegistry="1"


    scanCookies="1"


    memoryProcesses="1"


    scanBootSectors="1"


    scanEmail="1"


    scanAllFiles="1"


    scanPackedFiles="1"


    scanSubfolders="1"


    includeExtensions=""


    excludeExtensions=""


    />


    <TargetProcessing


    infectedAction="3"


    suspiciousAction="1"


    hiddenAction="1"


    encrInfectedAction="1"


    encrSuspiciousAction="1"


    passProtAction="20"


    />


    </ScanOptions>


    <EngineSummary


    archivePlugins="45"


    mailPlugins="6"


    scanPlugins="13"


    totalSignatures="2967516"


    systemPlugins="5"


    unpackPlugins="7"


    />


    <ScanSummary


    scannedItems="558500"


    passProtItems="0"


    archiveBombs="0"


    infectedItems="9"


    suspiciousItems="0"


    resolvedItems="0"


    unresolvedItems="9"


    scannedArchives="4178"


    bootSectorCount="0"


    scannedDirectories="24182"


    inputOutputErrors="0"


    virusesNumber="9"


    scanTime="02:17:58"


    filesPerSecond="67"


    >


    <FileSummary


    scanned="557263"


    archives="4178"


    packed="51968"


    infected="9"


    suspicious="0"


    resolved="0"


    deleted="0"


    moved="0"


    copied="0"


    />


    <RegistryKeySummary


    scanned="1157"


    infected="0"


    suspicious="0"


    />


    <CookieSummary


    scanned="32"


    infected="0"


    suspicious="0"


    />


    <ProcessSummary


    scanned="48"


    infected="0"


    suspicious="0"


    />


    <MailSummary


    scanned="0"


    infected="0"


    suspicious="0"


    />


    </ScanSummary>


    <ScanDetails>


    <AffectedItem index="0" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="1" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="2" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="3" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="4" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="5" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="6" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="7" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    <AffectedItem index="8" itemType ="File" path="\\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll" threatType="virus" threatName="Trojan.FakeAV.KI" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    </ScanDetails>


    </ScanSession>


    And a HiJackThis Log as well (renamed HJT so I could run it, but that method doesn't work with ComboFix):


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 9:59:38 PM, on 5/13/2009


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v8.00 (8.00.6001.18702)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\Program Files\Java\jre6\bin\jqs.exe


    C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe


    C:\WINDOWS\LOGI_MWX.EXE


    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\Program Files\Java\jre6\bin\jusched.exe


    C:\Program Files\Saitek\SD6\Software\ProfilerU.exe


    C:\Program Files\Saitek\SD6\Software\SaiMfd.exe


    C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\DAEMON Tools Lite\daemon.exe


    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


    C:\WINDOWS\system32\SearchIndexer.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Opera\opera.exe


    C:\WINDOWS\system32\cmd.exe


    C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\system32\NOTEPAD.EXE


    C:\Program Files\Internet Explorer\Iexplore.exe


    C:\Program Files\Internet Explorer\Iexplore.exe


    C:\WINDOWS\system32\NOTEPAD.EXE


    C:\WINDOWS\system32\SearchProtocolHost.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utm.edu/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll


    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll


    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


    O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe


    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe


    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide


    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"


    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE


    O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"


    O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe


    O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe


    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    O4 - HKCU\..\Run: [uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun


    O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"


    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')


    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')


    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')


    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE


    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe


    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html


    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html


    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - http://i.dell.com/images/global/js/scanner/SysProExe.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160143727234


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160143779671


    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab


    O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) - https://baninb.utm.edu/forms90/java/jre-1_5...dows-i586-p.exe


    O17 - HKLM\System\CCS\Services\Tcpip\..\{EF43B046-806E-42D5-BA81-6637CAD11AF7}: NameServer = 170.215.126.3,170.215.184.3


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe


    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe


    O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe


    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    --


    End of file - 12789 bytes


    Could use some help. This virus is annoying the ###### out of me.

  • charliethered
    edited May 2009


    Hey guys...here's a more up to date scan of just that directory. Now it shows 11 instances of the virus as opposed to 9.


    Product : BitDefender Total Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Windows


    Log date : 5/13/2009 10:10:36 PM


    Log path : C:\Documents and Settings\Charlie The Red\Application Data\BitDefender\Desktop\Profiles\Logs\user_0001\1242270636_1_02.xml


    Scan Paths:Path 0000: C:\WINDOWS\system32


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 2967516


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 4805


    Infected items : 11


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 11


    Password-protected items : 0


    Overcompressed items : 0


    Individual viruses found : 11


    Scanned directories : 588


    Scanned boot sectors : 0


    Scanned archives : 26


    Input-output errors : 13


    Scan time : 00:04:27


    Files per second : 13


    Scanned processes summaryScanned : 45


    Infected : 0


    Scanned registry keys summaryScanned : 1155


    Infected : 0


    Scanned cookies summaryScanned : 52


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    \\?\globalroot\systemroot\system32\UAClabuhodulcnskwy.dll Trojan.FakeAV.KI Disinfect Failed


    I could really use some help on this.

  • So I was finally able to get ComboFix to run.


    I had eleven rootkits on my system. No clue how they got there, but they're there. Combofix took care of it.

  • Does anyone of you two have any other problems?

  • charliethered
    edited May 2009

    As of right now, no more problems that I can see.


    What I can tell you is that, whatever put these rootkits on my computer, I got it from an outdated Flash player.


    I'll give a brief summary for posterity's sake in case anyone else has this problem.


    Last week, BitDefender detected brastia on my computer. I was able to remove it with HJT. After the next restart, BitDefender blocked Waledac and Koobface. Koobface likes to stick close to Facebook.com, and since I was playing a lot of FarmTown with Flash, I probably got the virus from one of those flash advertisements on that site. Things seemed pretty dormant until yesterday...


    ld08, winarps32, sdra64 and zlob were all on my computer. I was able to remove all of these with HJT (which I had to rename, following the directions in this thread), but it still didn't totally resolve the problems with Internet Explorer and Firefox.


    I couldn't find the threats on my system for the life of me, and after renaming ComboFix twice it still wouldn't work. I was able to get the necessary windows updates via opera, then I renamed ComboFix yet again to "BillMurray.exe" and it worked. Within seconds it found all of the rootkits and cleaned them, along with other files that I hadn't caught.


    I then disabled system restore after restart, uninstalled combofix and rebooted yet again, removing everything it quarantined.


    As of right now, I've scanned with BitDefender twice and still nothing found. It seems like whatever problem I had, I was able to fix.


    BitDefender labels this virus as "Trojan.FakeAV.KI." This is the Windowsclick.com (UACd.sys) rootkit which is pretty well known on google and has a variety of fixes. Here are some links in case anyone else has this problem.


    Removal:


    http://www.myantispyware.com/2009/01/24/ho...uacdsys-trojan/


    http://www.antionline.com/showthread.php?t=278009


    If someone has this virus, run Opera for web browsing if you have it. You can still use Firefox, although you have to paste the URLs of google results into your address bar instead of clicking them otherwise you'll be redirected. If you try and download Windows Updates out of Internet Explorer, IE will automatically close once you reach the Installation page.


    Furthermore, running HiJackThis to find this is futile because it won't find it. ComboFix is pretty much your best bet.