Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UAC.sys Malware Problem Fixed

Started by jlsmetalhead , Sep 01 2009 01:43 PM

  • Please log in to reply

#1
jlsmetalhead
Posted 01 September 2009 - 01:43 PM

jlsmetalhead

    New Member

  • Member
  • Pip
  • 2 posts
Thank You, This Site Helped Me Very Much. I Don't Know What Forum I Read, But It Was a Link I Clicked
After Searching UAC.sys In My Browser. This Person Said To Download ComboFix,So I Did And Had NO Problems With Getting Rid Of The Nasty Malware. The Google Installer Pop Up Has Stopped Coming Up & The Problem With A Driver Is Fixed.


Here Is My Log After Using ComboFix- Thank You Whoever Helped Me. :)


ComboFix 09-08-31.04 - jeff 09/01/2009 14:23.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2813.1951 [GMT -4:00]
Running from: c:\users\jeff\Contacts\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3842084670-3972306024-4010053558-500
c:\programdata\Microsoft\Windows\Start Menu\PAV
c:\programdata\Microsoft\Windows\Start Menu\PAV\Uninstall.lnk
c:\users\jeff\AppData\Roaming\.#
c:\users\jeff\AppData\Roaming\inst.exe
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\drivers\UACtvrtitrbcb.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjbobwrrpsn.dll
c:\windows\system32\UACmoiifwbnlc.dat
c:\windows\system32\UACpqplsuxmlf.dll
c:\windows\system32\UACydtqqelviv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_UACd.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_UACd.sys
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-31 18:33 . 2009-08-31 18:33 -------- d-----w- c:\users\jeff\AppData\Local\ESET
2009-08-31 17:25 . 2009-08-31 17:25 -------- d-----w- c:\windows\system32\EventProviders
2009-08-30 23:51 . 2009-08-30 23:51 -------- d-----w- c:\program files\ESET
2009-08-30 23:45 . 2009-08-30 23:45 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-08-30 14:18 . 2009-08-30 14:18 -------- d-----w- c:\users\jeff\Option
2009-08-30 05:41 . 2009-08-30 05:41 -------- d-----w- c:\program files\PersonalAV
2009-08-28 21:44 . 2009-08-29 23:58 -------- d-----w- c:\users\jeff\AppData\Local\MediaMonkey
2009-08-28 21:44 . 2009-08-29 23:58 -------- d-----w- c:\program files\MediaMonkey
2009-08-27 07:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 13:07 . 2009-06-05 12:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-26 13:07 . 2009-06-05 10:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-16 15:49 . 2009-08-16 15:49 -------- d-----w- c:\users\jeff\AppData\Local\WeatherBug
2009-08-16 15:48 . 2009-08-16 15:48 -------- d-----w- c:\users\jeff\AppData\Roaming\WeatherBug
2009-08-16 15:48 . 2009-08-16 15:48 -------- d-----w- c:\users\jeff\AppData\Roaming\blinkx
2009-08-16 15:48 . 2009-08-16 15:50 -------- d-----w- c:\programdata\Yahoo! Companion
2009-08-15 22:06 . 2009-08-15 22:06 -------- d-----w- c:\programdata\Zylom
2009-08-12 17:52 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 17:52 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 17:52 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 17:52 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 17:52 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 17:52 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 17:51 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 17:30 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-12 17:29 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-12 17:29 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-12 17:29 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-12 17:29 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-12 17:29 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-12 17:29 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-12 17:29 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-12 17:28 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 12:39 . 2009-07-29 19:01 -------- d-----w- c:\users\jeff\AppData\Roaming\Vso
2009-09-01 12:22 . 2009-02-07 20:20 680 ----a-w- c:\users\jeff\AppData\Local\d3d9caps.dat
2009-08-31 17:47 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-08-31 17:47 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-31 17:47 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-08-31 17:47 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-08-31 17:47 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-08-31 17:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-31 17:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-30 23:43 . 2009-07-26 23:42 -------- d-----w- c:\program files\Common Files\Softwin
2009-08-30 23:42 . 2009-07-27 00:14 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-30 23:20 . 2009-02-06 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-30 23:20 . 2008-12-04 12:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 23:18 . 2009-02-06 20:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-30 18:25 . 2009-02-07 06:42 -------- d-----w- c:\program files\BitComet
2009-08-16 15:48 . 2009-07-13 22:51 -------- d-----w- c:\program files\Yahoo!
2009-08-07 03:02 . 2009-02-14 23:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 20:07 . 2009-07-29 20:07 -------- d-----w- c:\programdata\vsosdk
2009-07-29 19:01 . 2009-07-29 19:01 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-29 19:01 . 2009-07-29 19:01 47360 ----a-w- c:\users\jeff\AppData\Roaming\pcouffin.sys
2009-07-29 19:01 . 2009-07-29 19:01 47360 ----a-w- c:\users\jeff\AppData\Roaming\pcouffin.sys
2009-07-29 19:01 . 2009-07-29 19:01 -------- d-----w- c:\program files\VSO
2009-07-26 23:29 . 2009-05-22 20:45 -------- d-----w- c:\programdata\avg8
2009-07-25 19:57 . 2008-12-04 12:53 -------- d-----w- c:\programdata\McAfee
2009-07-25 19:52 . 2009-07-25 19:49 -------- d-----w- c:\users\jeff\AppData\Roaming\FairStars Audio Converter
2009-07-25 00:54 . 2009-06-15 18:32 -------- d-----w- c:\programdata\WildTangent
2009-07-23 17:42 . 2009-05-08 01:11 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-22 17:13 . 2009-04-19 23:29 -------- d-----w- c:\program files\Java
2009-07-21 21:52 . 2009-07-29 14:24 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 14:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 14:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 14:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 19:03 . 2009-05-08 01:12 -------- d-----w- c:\users\jeff\AppData\Roaming\AVS4YOU
2009-07-19 05:54 . 2009-07-13 22:51 -------- d-----w- c:\programdata\Yahoo!
2009-07-18 20:40 . 2009-07-18 20:40 -------- d-----w- c:\users\jeff\AppData\Roaming\PlayFirst
2009-07-18 20:40 . 2009-07-18 20:40 -------- d-----w- c:\programdata\PlayFirst
2009-07-13 22:53 . 2009-07-13 22:53 -------- d-----w- c:\users\jeff\AppData\Roaming\Yahoo!
2009-06-15 15:24 . 2009-07-14 22:06 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-14 22:06 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-14 22:06 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-14 22:06 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-09 11:06 . 2009-06-09 11:06 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb284F.tmp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-21 39408]
"Google Update"="c:\users\jeff\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-23 846344]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-07-03 6266880]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2008-06-25 1826816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93986BAE-5214-46DC-B318-141D2814B512}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5F5E6067-EC42-4CF3-8A31-2D153A4B80E5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D64DAAC3-3615-46D7-9676-E10679B9500C}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{0DDE240D-FD2A-4050-AB17-AF76C247A3BE}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{5A6A4999-D213-474E-9218-2C40DB4A4009}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{259F1611-C159-42C3-AFAF-5539853B7035}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{5533EFBD-587E-4F6D-8CB1-9F6108E273C2}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{CFE4FE28-3EC5-4FA2-A6E5-C916CD1B584C}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"TCP Query User{92F4DB27-FAAD-4D01-8F0C-DC6230DBA032}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{7A777C56-3BC7-4B49-951D-6E4CF57C7F60}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{16A4EF65-BDDD-40E5-BFF7-5B261B66D543}"= UDP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"{291E93E7-C757-44F2-B177-AD6326BF859C}"= TCP:c:\program files\Internet Explorer\iexplore.exe:Internet Explorer
"TCP Query User{BA7DC9ED-9A54-4616-A0A7-3BCE496C1190}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{A42067FA-E048-4256-847A-6B2CEDE7EE96}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{26228A52-2DE7-4C11-A2EB-6EC4B136C285}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9BAD013F-E724-406A-8D2E-3C175E486840}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 5:11 PM 16384]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [5/14/2009 3:49 PM 93312]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [12/17/2008 2:05 PM 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/26/2008 1:36 AM 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/26/2008 1:36 AM 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3842084670-3972306024-4010053558-1000Core.job
- c:\users\jeff\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 00:44]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3842084670-3972306024-4010053558-1000UA.job
- c:\users\jeff\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 00:44]

2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{A57BF8E2-40D6-4518-A0F0-65DB2757A6AD}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=1208&m=aspire_5515
TCP: {D00B9979-42B9-4910-94EB-250C116767D1} = 208.67.220.220,208.67.222.222
TCP: {D05A26F8-7E62-46CA-918F-0502981C0364} = 208.67.220.220,208.67.222.222
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 14:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\users\jeff\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-09-01 14:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 18:41

Pre-Run: 30,810,488,832 bytes free
Post-Run: 30,481,629,184 bytes free

222 --- E O F --- 2009-08-31 17:31
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP