Hi
ok my problem is that my laptop was infected by system security 2009 virus but after 4 days trying to remove it, i finally "removed" but now i can get rid of uacinit.dll.
i have XP pro SP2,
note: my laptop can't connect to internet because the virus so i am using another pc to download updates for the antivirus, malwarebytes and SAS and saving them to a pen drive and transfer them to my laptop
thank you in advise

here is mi hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:48:41, on 9/27/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\e98e8931-229f-4719-8101-708b38108e24.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [91291516] C:\Documents and Settings\All Users\Application Data\91291516\91291516.exe
O4 - HKLM\..\Run: [11281524] C:\Documents and Settings\All Users\Application Data\11281524\11281524.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\e98e8931-229f-4719-8101-708b38108e24.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4294 bytes


MBAM log:

Malwarebytes' Anti-Malware 1.37
Database version: 2283
Windows 5.1.2600 Service Pack 2

9/27/2003 5:55:33 AM
mbam-log-2003-09-27 (05-55-21).txt

Scan type: Quick Scan
Objects scanned: 75945
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

Hi,

Looks like you may have a Rootkit on board.

Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

We need to disable one or more of your security programs so that they do not interfere with ComboFix.

Please disable your security programs via their system tray icons. For more information see:
[url=http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html]How To Disable Your Security Programs[/b]

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:

1. Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
4. ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Right-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

ok i just want to remind you that on my infected laptop i can't connect to internet (virus wont let) so iam using another pc to download all the updates etc. I tried to install combofix but when i get to the window asking to install the recovery console i could not do it because as you know i dont have internet connection on this computer. but i ran gmer scan and here is the log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-20 00:24:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 823D0500 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text aec.sys F8896386 33 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aec.sys F88963A8 12 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text aec.sys F88963B5 1 Byte [00]
.text aec.sys F88963B9 3 Bytes [00, 00, 00]
.text aec.sys F88963BD 21 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!_wcslwr] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!wcslen] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!IoGetDeviceInterfaces] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!swprintf] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!PsTerminateSystemThread] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!wcsstr] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeSetTimer] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ZwClose] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!PsCreateSystemThread] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeInitializeTimerEx] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeBugCheckEx] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ObfReferenceObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ObfDereferenceObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!_aulldiv] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!_allmul] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!InterlockedExchange] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeGetCurrentThread] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeSetTimerEx] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!DbgPrint] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeDelayExecutionThread] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeTickCount] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeQueryTimeIncrement] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!InterlockedCompareExchange] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!InterlockedIncrement] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlCheckRegistryKey] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlCreateRegistryKey] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlWriteRegistryValue] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlQueryRegistryValues] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlFreeUnicodeString] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ExFreePoolWithTag] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeSaveFloatingPointState] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeRestoreFloatingPointState] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ExAllocatePoolWithTag] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!KeSetPriorityThread] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!ExFreePool] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ntoskrnl.exe!RtlRaiseException] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[HAL.dll!KeQueryPerformanceCounter] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinGetAvailableByteCount] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinRegisterIrpCompletionCallback] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsFilterAttemptProcessing] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsFilterAcquireProcessingMutex] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsFilterReleaseProcessingMutex] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinGetConnectedPinDeviceObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinGetConnectedPinFileObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsGetObjectFromFileObject] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinGetParentFilter] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsGetPinFromIrp] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!_KsEdit] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsStreamPointerClone] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsProcessPinUpdate] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsPinGetConnectedPinInterface] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsStreamPointerGetIrp] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsStreamPointerDelete] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsReleaseControl] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsAcquireControl] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsInitializeDriver] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsFilterGetFirstChildPin] 00000000
IAT \SystemRoot\system32\drivers\aec.sys[ks.sys!KsGetFilterFromIrp] 00000000

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [822F1982] NDIS.sys[.reloc]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212480/182912 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212480/182912 bytes executable

---- EOF - GMER 1.0.15 ----


hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:27:43, on 6/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [91291516] C:\Documents and Settings\All Users\Application Data\91291516\91291516.exe
O4 - HKLM\..\Run: [11281524] C:\Documents and Settings\All Users\Application Data\11281524\11281524.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\e98e8931-229f-4719-8101-708b38108e24.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4350 bytes

Hi,

Open HijackThis, hit "Do A System Scan Only". Check these two lines:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
Close all other Windows and then hit "Fix Checked".

Restart your computer, and hopefully you will have Internet Access restored. Try running ComboFix again after that.

Hi,
thank you for you fast reply!!!

combofix log;

ComboFix 09-06-18.02 - New User 06/20/2009 1:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.325 [GMT -5:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uacinit.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it
.
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 06:17 . 2003-09-24 12:04 117760 ----a-w- c:\documents and settings\New User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 06:14 . 2004-08-04 12:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-20 05:07 . 2007-08-24 10:02 6656 ----a-w- c:\windows\system32\drivers\ac97intc.sys
2009-06-15 21:56 . 2003-09-24 12:03 17280346 ----a-w- c:\program files\PROCESSLIST.DB
2009-06-15 21:56 . 2003-09-24 12:03 1182077 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2009-05-26 18:20 . 2003-09-24 12:35 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 18:19 . 2003-09-24 12:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-30 15:33 . 2003-09-25 01:06 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 21:08 . 2003-09-25 01:06 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\e98e8931-229f-4719-8101-708b38108e24.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-03 267048]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2007-10-20 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - c:\program files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe [2007-11-24 1556480]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 0

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/24/2003 8:06 PM 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 Belkin701F;Belkin Wireless G Notebook Card Service v7;c:\windows\system32\drivers\BLKWGNv7.sys [11/24/2007 12:52 AM 303616]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [8/10/2003 10:47 PM 167808]
.
Contents of the 'Scheduled Tasks' folder

2007-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-91291516 - c:\documents and settings\All Users\Application Data\91291516\91291516.exe
HKLM-Run-11281524 - c:\documents and settings\All Users\Application Data\11281524\11281524.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 01:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-20 1:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 06:22

Pre-Run: 14,686,724,096 bytes free
Post-Run: 14,677,831,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

115 --- E O F --- 2003-08-12 04:32


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:23:54, on 6/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\e98e8931-229f-4719-8101-708b38108e24.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4046 bytes


MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2308
Windows 5.1.2600 Service Pack 2

6/20/2009 1:38:23 AM
mbam-log-2009-06-20 (01-38-23).txt

Scan type: Quick Scan
Objects scanned: 77084
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\ac97intc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Hi,

How are things running?

Please run GMER again as before and post the log it gives. We need to make sure this Rootkit is gone.

Hie irus
everything is runnig fine!!!
I think that fixed the problem!!!!
here is the new GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-21 12:16:33
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT F8D6D526 ZwCreateKey
SSDT F8D6D51C ZwCreateThread
SSDT F8D6D52B ZwDeleteKey
SSDT F8D6D535 ZwDeleteValueKey
SSDT F8D6D53A ZwLoadKey
SSDT F8D6D508 ZwOpenProcess
SSDT F8D6D50D ZwOpenThread
SSDT F8D6D544 ZwReplaceKey
SSDT F8D6D53F ZwRestoreKey
SSDT F8D6D530 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEF091DF0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[904] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

MBAM log:


Malwarebytes' Anti-Malware 1.38
Database version: 2315
Windows 5.1.2600 Service Pack 3

6/21/2009 12:26:24 PM
mbam-log-2009-06-21 (12-26-24).txt

Scan type: Quick Scan
Objects scanned: 79774
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi,

Log looks good

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


I highly recommend that you upgrade to Windows XP - SP3 to secure your system. You can do this via Windows Update (link below).


Now that your system appears to be clean, theres just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
  
  
• Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:
  
  Download Spybot Search and Destroy 1.5 from here
  Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  
  SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
  Freely available: Download SpywareBlaster
  
  Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

Hi
ok thank you soo much for you help!!!
you are the man . I will take your advice

Glad we could help you

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.